NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2004-q1

RE: Kernel module for file protection ideas

From: Aditya [ Aditya Lalit Deshmukh ] (adityaonline.gateway.technolabs.net)
Date: Sat Jan 10 2004 - 12:47:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

dont get me wrong - i looked at the psedo code and started making some assumptions that you were reinventing the wheel. The selinux is a fine implementation of the flask arch!
that is just what i use on the firewall - it works and does what it is supposed to do nicely though i liked openbsd more but had to try out Selinux some time or the other

do keep me updated about the kernel module if you are going to make one - however if you have the necessary skills then help the SElinux itself

-aditya

-----Original Message-----
From: Valdis.Kletnieksvt.edu [mailto:Valdis.Kletnieksvt.edu]
Sent: Saturday, January 10, 2004 2:57 AM
To: ald2003users.sourceforge.net
Cc: Just1n T1mberlake; vuln-devsecurityfocus.com
Subject: Re: Kernel module for file protection ideas

On Fri, 09 Jan 2004 11:28:50 +0530, "Aditya [ Aditya Lalit Deshmukh ]" <adityaonline.gateway.technolabs.net> said:

> this would be a very bad idea as any kernel level programmer will tell you
> that every 'if' takes time for comparison and you will be doing that every time
> for evry file access and parsing through a list of datastructs and other stuff
> that would possibally will make the system very slow for any "real world" use

Odd, I'm running SELinux, which calls a hook on most system calls, and the slowdown
isn't noticable. On the other hand, much thought went into work on optimizing
the speed (hint 1: a linear search through a list is NOT the way to do it).

The problem is that properly defining all the security contexts is tricky - for
instance, you may want to make "which filenames are bad" depend on the program.
There's places in the filesystem you want /bin/ls to be able to look but you
don't want /bin/passwd to be looking.

The policy.conf file for the SELinux on my laptop is 55,000+ lines long. And
that's the REAL issue - trying to describe the security policy for a production
system....

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]