[unisog] On the security of non-Windows op systems

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Feb 17 00:52:37 GMT 2004


On Sun, 15 Feb 2004 21:58:17 EST, Phillip G Deneault said:

> Another option is to apply many of the same security features in OpenVMS
> into another OS.  Some of the fine grain controls available in OpenVMS are
> available in SELinux.  This is a major component in Fedora Core 2.  
> GRsecurity(www.grsecurity.net) is an attempt to backport some of these and
> other features into the 2.4 Linux kernel.

A quick fact check here - in fact, the grsecurity patch for the 2.4 kernel
predates the SELinux work, and the two had differing goals.  grsecurity is a
quick roll-up of popular patches, based off Solar Designer's hardening patches.
SELinux is based on a domain-type enforcement model.

LSM (Loadable Security Modules) is a new 2.6 standard feature (there's a 2.4
backport patch) designed to add hooks to the Linux kernel so arbitrary security
models can be loaded and enforced.  As it turns out, the grsecurity
restrictions are somewhat difficult to express in SELinux (for instance, "don't
follow a symlink in a world-writable directory unless the target uid/gid match
the symlink's"), and coding all the SELinux in grsecurity would be painful (the
Fedora 'policy.conf' file is 139,819 lines long now ;)

There are provisions for "stacking" LSM modules - for instance, SELinux and the
Posix Capabilities module will stack.  There's some restricitions - most
notably, both modules have to be designed to allow stacking, and it helps if
the modules are addressing different orthogonal security models (for instance,
SElinux and capabilities stack well mostly because they don't even try to cover
the same things).  Otherwise you have to worry about the function composition
of the security models, which is both difficult and ugly (trying to use the
SELinux MAC and GRsecurity ACLs at the same time will be painful, for
instance).

There's absolutely no reason that you couldn't run a kernel that has SELinux,
capabilities, and a module that does the grsecurity checks that SELinux doesn't
do, all at the same time - other than nobody's written the grsecurity module
yet.

Oh, and before anybody asks, there *are* things that are in the grsecurity
patch that are basically impossible to do in the LSM framework because there's
no hooks for it. That basically includes the pax/no-exec-stack stuff - RedHat/
Fedora has a version of the competing exec-shield in their 2.6 kernel already,
and a few small things like randomized process IDs (which I intend to be doing
something about literally in a few hours here.. Code is already running, just not
submitted to linux-kernel yet)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20040216/775cb50b/attachment-0003.bin


More information about the unisog mailing list