|
Vulnerability Development
mailing list archives
Re: Kernel module for file protection ideas
From: Valdis.Kletnieks () vt edu
Date: Fri, 09 Jan 2004 16:27:21 -0500
On Fri, 09 Jan 2004 11:28:50 +0530, "Aditya [ Aditya Lalit Deshmukh ]" <aditya () online gateway technolabs net> said:
this would be a very bad idea as any kernel level programmer will tell you
that every 'if' takes time for comparison and you will be doing that every time
for evry file access and parsing through a list of datastructs and other stuff
that would possibally will make the system very slow for any "real world" use
Odd, I'm running SELinux, which calls a hook on most system calls, and the slowdown
isn't noticable. On the other hand, much thought went into work on optimizing
the speed (hint 1: a linear search through a list is NOT the way to do it).
The problem is that properly defining all the security contexts is tricky - for
instance, you may want to make "which filenames are bad" depend on the program.
There's places in the filesystem you want /bin/ls to be able to look but you
don't want /bin/passwd to be looking.
The policy.conf file for the SELinux on my laptop is 55,000+ lines long. And
that's the REAL issue - trying to describe the security policy for a production
system....
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
- Re: Kernel module for file protection ideas, (continued)
| 
Intro
