Vulnerability Development: RE: Kernel module for file protection ideas

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

RE: Kernel module for file protection ideas

From: "Aditya [ Aditya Lalit Deshmukh ]" <aditya () online gateway technolabs net>
Date: Sun, 11 Jan 2004 00:17:55 +0530

dont get me wrong - i looked at the psedo code and started making some assumptions that you were reinventing the wheel. 
The selinux is a fine implementation of the flask arch! 
that is just what i use on the firewall - it works and does what it is supposed to do nicely though i liked openbsd 
more but had to try out Selinux some time or the other 

do keep me updated about the kernel module if you are going to make one - however if you have the  necessary skills 
then help the SElinux itself 

-aditya 

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Saturday, January 10, 2004 2:57 AM
To: ald2003 () users sourceforge net
Cc: Just1n T1mberlake; vuln-dev () securityfocus com
Subject: Re: Kernel module for file protection ideas 


On Fri, 09 Jan 2004 11:28:50 +0530, "Aditya [ Aditya Lalit Deshmukh ]" <aditya () online gateway technolabs net>  said:

this would be a very bad idea as any kernel level programmer will tell you
that every 'if' takes time for comparison and you will be doing that every time
for evry file access and parsing through a list of datastructs and other stuff
that would possibally will make the system very slow for any "real world"  use


Odd, I'm running SELinux, which calls a hook on most system calls, and the slowdown
isn't noticable.  On the other hand, much thought went into work on optimizing
the speed (hint 1: a linear search through a list is NOT the way to do it).

The problem is that properly defining all the security contexts is tricky - for
instance, you may want to make "which filenames are bad" depend on the program.
There's places in the filesystem you want /bin/ls to  be able to look but you
don't want /bin/passwd to be looking.

The policy.conf file for the SELinux on my laptop is 55,000+ lines long.  And
that's the REAL issue - trying to describe the security policy for a production
system....



________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

By Date By Thread

Current thread:

Re: Kernel module for file protection ideas, (continued)
- Re: Kernel module for file protection ideas Bruno Lustosa (Jan 08)
  - Re: Kernel module for file protection ideas George Capehart (Jan 09)
- Re: Kernel module for file protection ideas Michael Hendrickx (Jan 09)
- RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 09)
  - Re: Kernel module for file protection ideas Valdis . Kletnieks (Jan 10)
    - RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 10)
- Re: Kernel module for file protection ideas Vikram Rangnekar (Jan 12)