Language Selection

English French German Italian Portuguese Spanish

Kernel space: Linux security non-modules and AppArmor

Filed under
Linux

Long-time LWN readers will know that the Linux security module (LSM) API is controversial at best. To many, it has failed in its purpose, which is enabling the development of competing approaches to hardened Linux system; the only significant in-tree security module remains SELinux. Meanwhile, the LSM interface is easily abused; since it allows the insertion of hooks into almost any system operation of interest, it can be used by other modules to provide non-security functionality. The LSM symbols are mostly exported GPL-only, but it is still possible for binary-only modules to abuse the LSM operations - and, apparently, some have done so.

SELinux hacker James Morris has been pondering this issue recently; he has also noticed that the in-tree security modules (SELinux and the small module implementing capabilities) cannot be unloaded. So, he asked, why implement a modular interface at all?

There have been a few complaints, but, from the author's point of view, it does not seem like anybody has come up with a compelling reason why it must be possible to unload security modules.

One such module is AppArmor - the GPL-licensed security mechanism distributed by Novell.

More Here.




More in Tux Machines

The KDE Randa 2014 meeting, in easy-digestible video format!

In case you were wondering what was going on in Randa, here are some first hand impressions. The video was produced by Françoise Wybrecht (alias Morgane Marquis) and Lucie Robin, and the people in it are the actual participants of the event. It was also created using KDenlive, one of the awesome Free Software tools a team has been working on at the Randa meeting itself. The video introduces the faces and personalities of the contributors and their different backgrounds and origins. Many thanks to our brand new ad-hoc media team for producing this video! Read more

Six Advantages of Choosing Linux over Windows

Linux is multi-functional and efficient. Everyone shells out money for a computer. On top if it spending more on an operating system is not a feasible option for many if there are alternatives. Windows requires users to pay licensing fees and other extended fees, whereas Linux is free. It is charged a minimal fee when bought from other distribution companies. Hardware requirements are not a problem for Linux whereas Windows requires a higher set of specifications for hardware if it has to run, and be compatible on the users' computer systems. The poor efficiency of Windows consumes a large space and the processing speed slows down drastically. With Windows users can not use old computers if they are aiming at good back up. Read more

Tizen Samsung Smart Camera NX1 with a new UI coming next month?

Samsung Electronics has been making steady headway in the world of cameras, and possibly leading the pack when it comes to Smart Cameras with its features that it offers. We heard a while ago that samsung where going to be releasing another flagship Smart Camera following the release of the Samsung NX30 camera. Read more

Re-Clocking Your NVIDIA GPU With Nouveau On Linux 3.17

If you are trying to re-clock your NVIDIA GPU with the Nouveau driver when using the Linux 3.17 kernel, there's an extra step involved, but still your mileage may vary and the re-clocking is still mostly for Kepler GPUs. With the Nouveau driver changes for Linux 3.17 there are no magic breakthroughs when it comes to re-clocking -- allowing the GPU's core and memory clocks to run at their rated frequencies and voltages rather than any (often much lower) values programmed by the video BIOS at boot time. With Linux 3.17 came re-clocking for Kepler GPUs and now it works, but generally not all performance levels/states properly function. If you are running a GeForce 400/500 "Fermi" GPU or other generations of NVIDIA hardware aside from the few integrated mobile chipsets, chances are you're out of luck in being able to tap the full potential of the GPU when using this open-source, reverse-engineered NVIDIA GPU. Read more