Vulnerability Development mailing list archives
RE: Kernel module for file protection ideas
From: "Aditya [ Aditya Lalit Deshmukh ]" <aditya () online gateway technolabs net>
Date: Sun, 11 Jan 2004 00:17:55 +0530
dont get me wrong - i looked at the psedo code and started making some assumptions that you were reinventing the wheel. The selinux is a fine implementation of the flask arch! that is just what i use on the firewall - it works and does what it is supposed to do nicely though i liked openbsd more but had to try out Selinux some time or the other do keep me updated about the kernel module if you are going to make one - however if you have the necessary skills then help the SElinux itself -aditya -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Saturday, January 10, 2004 2:57 AM To: ald2003 () users sourceforge net Cc: Just1n T1mberlake; vuln-dev () securityfocus com Subject: Re: Kernel module for file protection ideas On Fri, 09 Jan 2004 11:28:50 +0530, "Aditya [ Aditya Lalit Deshmukh ]" <aditya () online gateway technolabs net> said:
this would be a very bad idea as any kernel level programmer will tell you that every 'if' takes time for comparison and you will be doing that every time for evry file access and parsing through a list of datastructs and other stuff that would possibally will make the system very slow for any "real world" use
Odd, I'm running SELinux, which calls a hook on most system calls, and the slowdown isn't noticable. On the other hand, much thought went into work on optimizing the speed (hint 1: a linear search through a list is NOT the way to do it). The problem is that properly defining all the security contexts is tricky - for instance, you may want to make "which filenames are bad" depend on the program. There's places in the filesystem you want /bin/ls to be able to look but you don't want /bin/passwd to be looking. The policy.conf file for the SELinux on my laptop is 55,000+ lines long. And that's the REAL issue - trying to describe the security policy for a production system.... ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
Current thread:
- Kernel module for file protection ideas Just1n T1mberlake (Jan 08)
- Re: Kernel module for file protection ideas Larry W. Cashdollar (Jan 08)
- Re: Kernel module for file protection ideas Bruno Lustosa (Jan 08)
- Re: Kernel module for file protection ideas George Capehart (Jan 09)
- Re: Kernel module for file protection ideas Michael Hendrickx (Jan 09)
- RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 09)
- Re: Kernel module for file protection ideas Valdis . Kletnieks (Jan 10)
- RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 10)
- Re: Kernel module for file protection ideas Valdis . Kletnieks (Jan 10)
- Re: Kernel module for file protection ideas Vikram Rangnekar (Jan 12)