Language Selection

English French German Italian Portuguese Spanish

Kernel space: Linux security non-modules and AppArmor

Filed under
Linux

Long-time LWN readers will know that the Linux security module (LSM) API is controversial at best. To many, it has failed in its purpose, which is enabling the development of competing approaches to hardened Linux system; the only significant in-tree security module remains SELinux. Meanwhile, the LSM interface is easily abused; since it allows the insertion of hooks into almost any system operation of interest, it can be used by other modules to provide non-security functionality. The LSM symbols are mostly exported GPL-only, but it is still possible for binary-only modules to abuse the LSM operations - and, apparently, some have done so.

SELinux hacker James Morris has been pondering this issue recently; he has also noticed that the in-tree security modules (SELinux and the small module implementing capabilities) cannot be unloaded. So, he asked, why implement a modular interface at all?

There have been a few complaints, but, from the author's point of view, it does not seem like anybody has come up with a compelling reason why it must be possible to unload security modules.

One such module is AppArmor - the GPL-licensed security mechanism distributed by Novell.

More Here.




More in Tux Machines

Today in Techrights

Web Server Setup Series - Fix CWP Errors & Warnings To Improve Server Security

​Welcome to the second part of the web server setup series. In this part, I'll show you how to fix CWP (CentOS web panel) errors and warnings, create new user accounts, create hosting packages, and create FTP account. So let's start. Read
more

How To Make Good Use Of 'grep' Command

​Linux and UNIX systems come with a shell command known as ‘grep’. This simply looks for a specified text, or pattern, in a file or an entire directory. The most common usage is for quickly searching a file for occurrences of a pattern, which can be in plain text, or in the form of a regular expression. Here, the patterns used will be simple text rather than regular expressions. Read
more

Android Leftovers