Language Selection

English French German Italian Portuguese Spanish

Kernel space: Linux security non-modules and AppArmor

Filed under
Linux

Long-time LWN readers will know that the Linux security module (LSM) API is controversial at best. To many, it has failed in its purpose, which is enabling the development of competing approaches to hardened Linux system; the only significant in-tree security module remains SELinux. Meanwhile, the LSM interface is easily abused; since it allows the insertion of hooks into almost any system operation of interest, it can be used by other modules to provide non-security functionality. The LSM symbols are mostly exported GPL-only, but it is still possible for binary-only modules to abuse the LSM operations - and, apparently, some have done so.

SELinux hacker James Morris has been pondering this issue recently; he has also noticed that the in-tree security modules (SELinux and the small module implementing capabilities) cannot be unloaded. So, he asked, why implement a modular interface at all?

There have been a few complaints, but, from the author's point of view, it does not seem like anybody has come up with a compelling reason why it must be possible to unload security modules.

One such module is AppArmor - the GPL-licensed security mechanism distributed by Novell.

More Here.




More in Tux Machines

Phoronix Benchmarks

Leftovers: Software

  • Are you Struggling With Finding Text In Files Or Locating Files? Try 'Recoll' Program In Linux
    Recoll is a full text search QT based free, open source program especially made for Unix-like and Linux but it is also available for Windows and Mac systems, licensed under GPL. It provides efficient desktop full text search from single-word to arbitrarily complex boolean searches, basically it indexes the documents data (along with their compressed versions) and huge number of files then let you find quickly whatever you search for. Recoll updates its index at designed intervals (for example through Cron tasks) but if desired, the indexing task can run as a file-system monitoring daemon for real-time index updates.
  • New Inkscape 0.92 breaks your previous works done with Inkscape
    I hope this type of blog-post will shake the mindset a bit, and make developers more serious about compatibility. The users shouldn't be prompted with a dialog with jargon. The artwork or rendering shouldn't be broken. Inkscape should do the auto-conversion to keep the artwork as it was (especially because the software can). Isn't it the task of Inkscape to be able to read SVG? to properly read itself? I hope a version 0.92.x will happens and solve this serious bug [1] . For those who have been following my work for the last ten years, I like to promote the release of new Free/Libre and Open-Sources Software versions. It costs me a lot emotionally and in production-time to have to make this type of blog-post against a project I love. But what else can I do?
  • Ardour + Cinelerra + 4 Cams + Heavy Blues
  • Albert Quick Launcher 0.9.0 Released With External Extensions Support
    Albert is a quick launcher for Linux inspired by Alfred (Mac). It can be used to run applications, open files, search the web, open bookmarks in your web browser, calculate math expressions, and more.
  • MKVToolNix 9.8.0 Open-Source MKV Manipulation App Adds Support for DVB Subtitles
    Moritz Bunkus released today, January 22, 2017, a new stable release of his popular, multiplatform, and open-source MKV (Matroska) manipulation utility for all supported platforms, including GNU/Linux, macOS, and Microsoft Windows. There are bunch of exciting new features added in the new MKVToolNix 9.8.0 release, which comes three weeks after the previous version, namely MKVToolNix 9.7.1, but first we'd like to inform package maintainers about an important change in the build system as parallel builds are now enabled by default.
  • Libvirt 3.0 Released With Various Improvements
    The libvirt virtualization API saw a major 3.0 release this week to succeed its earlier v2.5 milestone.
  • 5 Highly Promising Terminal Emulators
    The terminal emulator is a venerable but essential tool for computer users. The reason why Linux offers so much power is due to the command line. The Linux shell can do so much, and this power can be accessed on the desktop by using a terminal emulator. There are so many available for Linux that the choice is bewildering.
  • What Spotify Takes Away, the Open-Source Community Brings Back…
    One of my favourite bands has just released a new album, which means I now have 11 new songs to learn the words to before I go see them play next!
  • Skype for Linux Alpha Video Call Support Begins ‘Rollout’

today's howtos

Wine Staging 2.0 RC6