Language Selection

English French German Italian Portuguese Spanish

Kernel space: Linux security non-modules and AppArmor

Filed under
Linux

Long-time LWN readers will know that the Linux security module (LSM) API is controversial at best. To many, it has failed in its purpose, which is enabling the development of competing approaches to hardened Linux system; the only significant in-tree security module remains SELinux. Meanwhile, the LSM interface is easily abused; since it allows the insertion of hooks into almost any system operation of interest, it can be used by other modules to provide non-security functionality. The LSM symbols are mostly exported GPL-only, but it is still possible for binary-only modules to abuse the LSM operations - and, apparently, some have done so.

SELinux hacker James Morris has been pondering this issue recently; he has also noticed that the in-tree security modules (SELinux and the small module implementing capabilities) cannot be unloaded. So, he asked, why implement a modular interface at all?

There have been a few complaints, but, from the author's point of view, it does not seem like anybody has come up with a compelling reason why it must be possible to unload security modules.

One such module is AppArmor - the GPL-licensed security mechanism distributed by Novell.

More Here.




More in Tux Machines

New Cyber Threat Detection Tool Made Open Source

Lockheed’s move points to the power of open source, particularly when it comes to big overreaching issues such as cybersecurity. Rather than Lockheed keeping their tool as internal proprietary software and requiring others to license or purchase it, they recognized the potential their innovation holds for the greater good. This represents a huge step for both the open source and cybersecurity communities. Read more

Five Ways Open Source Databases Are Limited

Two of the reasons to deploy an open source database are cost and philosophy. Philosophically, the open source movement subscribes to the notion that having community-developed product creates a better product, and/or “contributes to the world in a better way.” The other reason is cost, which usually means “free,” or at least no-charge for the software database license. Read more

Google Chrome Turns Seven, Advances with Security and Performance Gains

After seven years of development, Google continues its rapid pace of release and enhancement for its Chrome browser. On the seventh anniversary of the first Chrome public release on September 2, Google released Chrome stable version 45 and Chrome beta 46. Google Chrome debuted on September 2, 2008 after months of speculation about Google's intentions regarding entering the browser market. The first Chrome browser entered the market at a time when Microsoft's IE still dominated, though Firefox was making a dent in that market share. Today, according to multiple sets of stats, including Statcounter, Google Chrome stands as the world's most popular web browser. Read more

The Linux Test Project has been released for September 2015

Good news everyone, the Linux Test Project test suite stable release for *September 2015* has been released. Since the last release 272 patches by 27 authors were merged. Notable changes are: * Network namespace testcases were rewritten from scratch * New user namespaces testcases * New testcases for various virtual network interfaces * New umount2() testcases (for UMOUNT_NOFOLLOW, MNT_EXPIRE and MNT_DETACH flags) * New open() testcase (for O_PATH flag) * New getrandom() testcases * New inotify, cpuset, futex_wake() and recvmsg() regression tests + The usual number of fixes and enhancements Read more