Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-30 Thread Casey Schaufler
--- Kazuki Omo(Company) [EMAIL PROTECTED] wrote: Dear, Folks, Now we are planning to submit LIDS to mainline. (As you know, it already written for supporing LSM for several years.) When we will finish to re-write documentation and some FAQ, then we will be able to submit the patch.

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-29 Thread Kazuki Omo(Company)
Dear, Folks, Now we are planning to submit LIDS to mainline. (As you know, it already written for supporing LSM for several years.) When we will finish to re-write documentation and some FAQ, then we will be able to submit the patch. Sincerely, OMO Serge E. Hallyn wrote: (2007/10/09 03:00):

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-11 Thread Kyle Moffett
Ok, finally getting some time to work on this stuff once again (life gets really crazy sometimes). I would like to postulate that you can restate any SMACK policy as a functionally equivalent SELinux policy (with a few slight technical differences, see below). I've been working on a

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-11 Thread Alan Cox
from under that missunderstanding, and with people who are assuming that your policy has been done, proving the point. I'd love to have time to finish the script but unfortunately real life keeps interfering and I'm going to have to go back to lurking on this thread. How about

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Serge E. Hallyn
Quoting Eric W. Biederman ([EMAIL PROTECTED]): Kyle Moffett [EMAIL PROTECTED] writes: On Oct 04, 2007, at 21:44:02, Eric W. Biederman wrote: What we want from the LSM is the ability to say -EPERM when we can clearly articulate that we want to disallow something. This sort of depends

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Eric W. Biederman
Serge E. Hallyn [EMAIL PROTECTED] writes: Quoting Eric W. Biederman ([EMAIL PROTECTED]): Perform the split up you talked about above and move the table matching into the LSM hooks. Use something like the iptables action and match to module mapping code so we can have multiple modules

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Casey Schaufler
--- Serge E. Hallyn [EMAIL PROTECTED] wrote: Quoting Casey Schaufler ([EMAIL PROTECTED]): ... Good suggestion. In fact, that is exactly how I approached my first two attempts at the problem. What you get if you take that route is an imposing infrastructure that has virually nothing to

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Serge E. Hallyn
Quoting Eric W. Biederman ([EMAIL PROTECTED]): Serge E. Hallyn [EMAIL PROTECTED] writes: Also I'm thinking towards what do we have to do isolate the security module stuff in the context of a namespace. So that a person in a container can setup their own rules that further restrict the

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Eric W. Biederman
Casey Schaufler [EMAIL PROTECTED] writes: --- Eric W. Biederman [EMAIL PROTECTED] wrote: Likely. Until we have a generalized LSM interface with 1000 config options like netfilter I don't expect we will have grounds to talk or agree to a common user space interface. Although I could be

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Serge E. Hallyn
Quoting Eric W. Biederman ([EMAIL PROTECTED]): Casey Schaufler [EMAIL PROTECTED] writes: --- Eric W. Biederman [EMAIL PROTECTED] wrote: Likely. Until we have a generalized LSM interface with 1000 config options like netfilter I don't expect we will have grounds to talk or agree to

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Eric W. Biederman
Serge E. Hallyn [EMAIL PROTECTED] writes: Quoting Eric W. Biederman ([EMAIL PROTECTED]): It really seems to me that the LSM as currently structured creates a large barrier to entry for people who have just this little thing they want to do that is not possible with any existing security

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Casey Schaufler
--- Eric W. Biederman [EMAIL PROTECTED] wrote: It really seems to me that the LSM as currently structured creates a large barrier to entry for people who have just this little thing they want to do that is not possible with any existing security module. I honestly think that the barrier has

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Casey Schaufler
--- Eric W. Biederman [EMAIL PROTECTED] wrote: My very practical question: How do I run selinux in one container, and SMACK in another? How would you run PREEMPT_RT in one container, and PREEMPT_DESKTOP in another? How would you run SMP in one and UP in the other? One aspect that SELinux

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Eric W. Biederman
Casey Schaufler [EMAIL PROTECTED] writes: --- Eric W. Biederman [EMAIL PROTECTED] wrote: It really seems to me that the LSM as currently structured creates a large barrier to entry for people who have just this little thing they want to do that is not possible with any existing security

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Casey Schaufler
--- Eric W. Biederman [EMAIL PROTECTED] wrote: Casey Schaufler [EMAIL PROTECTED] writes: --- Eric W. Biederman [EMAIL PROTECTED] wrote: Likely. Until we have a generalized LSM interface with 1000 config options like netfilter I don't expect we will have grounds to talk or agree

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Alan Cox
My very practical question: How do I run selinux in one container, and SMACK in another? In the LSM model you don't because you could have the same container objects visible in different contains at the same time and subject to different LSMs. What does it mean to pass an SELinux protected

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-08 Thread Bill Davidsen
Serge E. Hallyn wrote: (tongue-in-cheek) No no, everyone knows you don't build simpler things on top of more complicated ones, you go the other way around. So what he was suggesting was that selinux be re-written on top of smack. Having gone from proposing a simpler and easier to use

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-06 Thread Bill Davidsen
Kyle Moffett wrote: On Oct 04, 2007, at 21:44:02, Eric W. Biederman wrote: What we want from the LSM is the ability to say -EPERM when we can clearly articulate that we want to disallow something. This sort of depends on perspective; typically with security infrastructure you actually want

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-05 Thread Casey Schaufler
--- Kyle Moffett [EMAIL PROTECTED] wrote: On Oct 05, 2007, at 00:45:17, Eric W. Biederman wrote: Kyle Moffett [EMAIL PROTECTED] writes: On Oct 04, 2007, at 21:44:02, Eric W. Biederman wrote: SElinux is not all encompassing or it is generally incomprehensible I don't know which. Or

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-05 Thread Stephen Smalley
On Fri, 2007-10-05 at 09:27 -0700, Casey Schaufler wrote: --- Kyle Moffett [EMAIL PROTECTED] wrote: On Oct 05, 2007, at 00:45:17, Eric W. Biederman wrote: Kyle Moffett [EMAIL PROTECTED] writes: On Oct 04, 2007, at 21:44:02, Eric W. Biederman wrote: SElinux is not all encompassing

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-05 Thread Eric W. Biederman
Stephen Smalley [EMAIL PROTECTED] writes: On Fri, 2007-10-05 at 09:27 -0700, Casey Schaufler wrote: --- Kyle Moffett [EMAIL PROTECTED] wrote: On Oct 05, 2007, at 00:45:17, Eric W. Biederman wrote: Kyle Moffett [EMAIL PROTECTED] writes: On Oct 04, 2007, at 21:44:02, Eric W.

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-04 Thread Derek Fawcus
On Wed, Oct 03, 2007 at 01:12:46AM +0100, Alan Cox wrote: The value of SELinux (or indeed any system compartmentalising access and limiting damage) comes into play when you get breakage - eg via a web browser exploit. well, being sick of the number of times one has to upgrade the browser

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-04 Thread Derek Fawcus
On Thu, Oct 04, 2007 at 07:18:47PM -0400, Chuck Ebbert wrote: I ran firefox setuid to a different (not my main user), uid+gid, gave my main account that gid as a supplemental group, and gave that uid access to the X magic cookie. You need to use runxas to get any kind of real security.

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-04 Thread Kyle Moffett
On Oct 05, 2007, at 00:45:17, Eric W. Biederman wrote: Kyle Moffett [EMAIL PROTECTED] writes: On Oct 04, 2007, at 21:44:02, Eric W. Biederman wrote: SElinux is not all encompassing or it is generally incomprehensible I don't know which. Or someone long ago would have said a better way to

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-02 Thread Thomas Bleher
* Christoph Hellwig [EMAIL PROTECTED] [2007-10-02 10:14]: On Sun, Sep 30, 2007 at 01:16:18AM -0700, Andrew Morton wrote: reviewed the August thread from your version 1 submission and the message I take away is that the code has been well-received and looks good when considered on its own

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-02 Thread Linus Torvalds
On Tue, 2 Oct 2007, Bill Davidsen wrote: And yet you can make the exact same case for schedulers as security, you can quantify the behavior, but if your only choice is A it doesn't help to know that B is better. You snipped a key part of the argument. Namely: Another difference is that

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-02 Thread Alan Cox
On Tue, 02 Oct 2007 17:02:13 -0400 Bill Davidsen [EMAIL PROTECTED] wrote: Linus Torvalds wrote: On Mon, 1 Oct 2007, Stephen Smalley wrote: You argued against pluggable schedulers, right? Why is security different? Schedulers can be objectively tested. There's this thing called

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-02 Thread Linus Torvalds
On Wed, 3 Oct 2007, Alan Cox wrote: Smack seems a perfectly good simple LSM module, its clean, its based upon credible security models and sound theory (unlike AppArmor). The problem with SELinux isn't the theory. It's the practice. IOW, it's too hard to use. Apparently Ubuntu is giving

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-02 Thread Linus Torvalds
On Tue, 2 Oct 2007, Bill Davidsen wrote: Unfortunately not so, I've been looking at schedulers since MULTICS, and desktops since the 70s (MP/M), and networked servers since I was the ARPAnet technical administrator at GE's Corporate RD Center. And on desktops response is (and should be

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-02 Thread Crispin Cowan
Linus Torvalds wrote: Security, on the other hand, very much does depend on the circumstances and the wishes of the users (or policy-makers). And if we had one module that everybody would be happy with, I'd not make it pluggable either. But as it is, we _know_ that's not the case. And

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread James Morris
On Sun, 30 Sep 2007, Andrew Morton wrote: So with the information which I presently have available to me, I'm thinking that this should go into 2.6.24. I think the decision to merge Smack is something that needs to be considered in the wider context of overall security architecture. Smack

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Linus Torvalds
On Mon, 1 Oct 2007, James Morris wrote: Merging Smack, however, would lock the kernel into the LSM API. Presently, as SELinux is the only in-tree user, LSM can still be removed. Hell f*cking NO! You security people are insane. I'm tired of this only my version is correct crap. The whole

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Casey Schaufler
--- James Morris [EMAIL PROTECTED] wrote: On Sun, 30 Sep 2007, Andrew Morton wrote: So with the information which I presently have available to me, I'm thinking that this should go into 2.6.24. I think the decision to merge Smack is something that needs to be considered in the wider

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Stephen Smalley
On Mon, 2007-10-01 at 08:07 -0700, Linus Torvalds wrote: On Mon, 1 Oct 2007, James Morris wrote: Merging Smack, however, would lock the kernel into the LSM API. Presently, as SELinux is the only in-tree user, LSM can still be removed. Hell f*cking NO! You security people are

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Linus Torvalds
On Mon, 1 Oct 2007, Stephen Smalley wrote: You argued against pluggable schedulers, right? Why is security different? Schedulers can be objectively tested. There's this thing called performance, that can generally be quantified on a load basis. Yes, you can have crazy ideas in both

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Casey Schaufler
--- Stephen Smalley [EMAIL PROTECTED] wrote: On Mon, 2007-10-01 at 08:07 -0700, Linus Torvalds wrote: On Mon, 1 Oct 2007, James Morris wrote: Merging Smack, however, would lock the kernel into the LSM API. Presently, as SELinux is the only in-tree user, LSM can still be

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Olivier Galibert
On Mon, Oct 01, 2007 at 09:04:44AM -0700, Linus Torvalds wrote: For example, you security guys still debate inodes vs pathnames, as if that was an either-or issue. Quite frankly, I'm not a security person, but I can tell a bad argument from a good one. And an argument that says inodes _or_

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Theodore Tso
On Mon, Oct 01, 2007 at 11:40:39AM -0400, Stephen Smalley wrote: You argued against pluggable schedulers, right? Why is security different? Do you really want to encourage people to roll their own security module rather than working toward a common security architecture and a single

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Casey Schaufler
--- Andi Kleen [EMAIL PROTECTED] wrote: Anyways; if someone wants to cripple their security for some performance this way they can surely do this; but i don't think we should offer it as a default configuration option (just as we don't have a CONFIG_NULL_LSM even though there are

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-10-01 Thread Jan Engelhardt
On Sep 30 2007 01:16, Andrew Morton wrote: Documentation/Smack.txt | 104 + security/Kconfig |1 security/Makefile |2 security/smack/Kconfig| 10 security/smack/Makefile |9 security/smack/smack.h| 207 ++

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Andrew Morton
On Sat, 29 Sep 2007 17:20:36 -0700 Casey Schaufler [EMAIL PROTECTED] wrote: Smack is the Simplified Mandatory Access Control Kernel. I don't know enough about security even to be dangerous. I went back and reviewed the August thread from your version 1 submission and the message I take away

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Christoph Hellwig
On Sun, Sep 30, 2007 at 01:16:18AM -0700, Andrew Morton wrote: reviewed the August thread from your version 1 submission and the message I take away is that the code has been well-received and looks good when considered on its own merits, but selinux could probably be configured to do

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Casey Schaufler
--- Andrew Morton [EMAIL PROTECTED] wrote: On Sat, 29 Sep 2007 17:20:36 -0700 Casey Schaufler [EMAIL PROTECTED] wrote: Smack is the Simplified Mandatory Access Control Kernel. I don't know enough about security even to be dangerous. I went back and reviewed the August thread from

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Casey Schaufler
--- Andi Kleen [EMAIL PROTECTED] wrote: - Smack.txt and the website seem a bit skimpy. Is there enough documentation out there for someone to usefully (and, more importantly, safely) start using smack? Yes that's the important thing. - In his review of version 1, Andi

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Casey Schaufler
--- Christoph Hellwig [EMAIL PROTECTED] wrote: On Sun, Sep 30, 2007 at 01:16:18AM -0700, Andrew Morton wrote: reviewed the August thread from your version 1 submission and the message I take away is that the code has been well-received and looks good when considered on its own merits, but

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Andi Kleen
It does the job going off box, too. It does not as far as I can see. The IETF seems to have had very good reasons to never advance that draft any further. The authentication issues are very real, but a separate issue. First rule of network security: don't trust the network. And you seem to

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Andi Kleen
CIPSO is supported on SELinux as well. That's no reason to extend that design mistake. It certainly has uses where IPSec is excessive. One example is someone I talked to recently that basically has a set of blade systems connected with a high speed backplane that looks like a network

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Joshua Brindle
Andi Kleen wrote: - hm, netlabels. Who might be a suitable person to review that code? Seems that Paul Moore is the man. Maybe he'd be interested in taking a look over it (please?) I personally consider these IP options it uses to be pretty useless. Who could ever use that without

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Theodore Tso
On Sun, Sep 30, 2007 at 07:39:57PM +0200, Andi Kleen wrote: CIPSO also lets systems like SELinux and SMACK talk to other trusted systems (eg., trusted solaris) in a way they understand. Perhaps, but is the result secure? I have severe doubts. As always, it depends on your environment.

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Andi Kleen
Yes, normally the network is outside the Trusted Computing Base (TCB), Normally as in the 99.9% case. but a cluster of Linux machines in a rack is roughly the same size of a huge Unix server tens year ago --- and it's not like Ethernet is any more secure than the PCI bus. PCI busses

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Paul Moore
On Sunday 30 September 2007 3:07:42 pm Theodore Tso wrote: There are different kinds of security. Not all of them involve cryptography and IPSEC. Some of them involve armed soldiers and air gap firewalls. :-) Yes, normally the network is outside the Trusted Computing Base (TCB), but a

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Theodore Tso
On Sun, Sep 30, 2007 at 10:05:57PM +0200, Andi Kleen wrote: but a cluster of Linux machines in a rack is roughly the same size of a huge Unix server tens year ago --- and it's not like Ethernet is any more secure than the PCI bus. PCI busses normally don't have routers to networks

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Paul Moore
On Sunday 30 September 2007 4:16:18 am Andrew Morton wrote: - hm, netlabels. Who might be a suitable person to review that code? Seems that Paul Moore is the man. Maybe he'd be interested in taking a look over it (please?) Yep, I've been tracking Casey's work on this since the first

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread david
On Sun, 30 Sep 2007, Andi Kleen wrote: The authentication issues are very real, but a separate issue. First rule of network security: don't trust the network. This I agree with Without authentication it's completely useless. I don't understand how you can disregard that as separate issue.

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

2007-09-30 Thread Casey Schaufler
--- Serge E. Hallyn [EMAIL PROTECTED] wrote: ... +A process can see the smack label it is running with by +reading /proc/self/attr/current. A privileged process can +set the process smack by writing there. Ok, so to control smack label transitions, basically you would run with