I am cross-posting this to LAD, hoping to get some useful feedback.
Paul Davis <paul(a)linuxaudiosystems.com> writes:
about that patch ... torben hohn wrote, some time ago
on LAD (see his
comment at the end). does anyone have time to check on this?
> Have a look at linux security modules. In the
2.5 kernel the
> patch you propose is not a patch, it is a kernel module.
I spent some time last night looking at...
(*) linux-2.6.0-test9 kernel sources (from Debian)
(*) SELinux 2.60-test6 sources from NSA,
http://www.nsa.gov/selinux
(*) the Linux Security Modules web site
http://lsm.immunix.org
As always with the web it's hard to tell the real stuff from the
vaporware. But, this stuff looks real to me. :-)
SELinux (Security-Enhanced Linux) is NSA's research project for
implementing DoD Orange-book security features as a pluggable kernel
module. Almost all of the SELinux modularization changes are present
in linux-2.6.0-test9. Their entire compressed patch for the
2.6.0-test6 kernel was only 1889 bytes containing 189 lines of context
diffs. By comparison, they also distribute an SELinux patch for
2.4.21, which is 209KB (compressed) containing almost 36,000 lines of
context diffs.
Internally, the 2.6 kernel exclusively uses `if(capable(CAP_foo))'
tests, AFAICT. That was already (mostly) true of 2.4. In 2.6, there
are pluggable security modules to control the semantics of these
tests. The vanilla test9 kernel includes a small example security
module, `security/root_plug.c', which tests for the presence of a
specific USB device at exec time, only allowing setuid if it is
present. It is only 143 lines long.
Domain and Type Enforcement (DTE) is another project using a loadable
security module. It seems to be aimed at Mandatory Access Controls
for partitioning the file access capabilities of root processes. The
idea is to run root daemons in a "Domain" that lacks the ability to
modify important system files like /bin/login and /etc/passwd,
frequent targets for evil crackers exploiting buffer overflows in
their victim daemons. ;-)
This leads me to believe that 2.6 *does* permit one to write a kernel
security module for selectively granting realtime permissions to
certain processes. The mechanisms provided are far more powerful than
necessary for that simple application. I don't know exactly what
realtime security policy should be implemented and how the underlying
mechanisms ought to be used, though I have some ideas.
But, the first step is to figure out if someone is already working on
this. My late-night googling didn't discover any existing project,
but surely someone is doing it by now. If not, I think we should
consider building and distributing one as part of JACK.
Comments?
--
joq