Re: Kernel module for file protection ideas

[Valdis.Kletnieks () vt edu]

On Fri, 09 Jan 2004 11:28:50 +0530, "Aditya [ Aditya Lalit Deshmukh ]" <aditya () online gateway technolabs net>  said:

> this would be a very bad idea as any kernel level programmer will tell you
> that every 'if' takes time for comparison and you will be doing that every time
> for evry file access and parsing through a list of datastructs and other stuff
> that would possibally will make the system very slow for any "real world"  use

Odd, I'm running SELinux, which calls a hook on most system calls, and the slowdown
isn't noticable.  On the other hand, much thought went into work on optimizing
the speed (hint 1: a linear search through a list is NOT the way to do it).

The problem is that properly defining all the security contexts is tricky - for
instance, you may want to make "which filenames are bad" depend on the program.
There's places in the filesystem you want /bin/ls to  be able to look but you
don't want /bin/passwd to be looking.

The policy.conf file for the SELinux on my laptop is 55,000+ lines long.  And
that's the REAL issue - trying to describe the security policy for a production
system....

Attachment: _bin
Description: