[rsbac] How does RSBAC relate to the Linux Security Module
framework (LSM)?
Amon Ott
ao at rsbac.org
Fri Aug 8 13:57:10 MEST 2003
On Friday, 8. August 2003 11:08, Christian Schuhegger wrote:
> i was trying to find some information via google on how RSBAC and LSM
> are related. does RSBAC use LSM, does it use a competing infrastructure
> to LSM, or ...
LSM provides a set of low-level hooks in kernel functions, which use pointers
to kernel internal structures as parameters.
RSBAC currently implements a separate set of hooks, which use a kernel
version independent abstraction of the type of access and the target to be
accessed.
In contrary to LSM, RSBAC has a full infrastructure for fast and efficient
security model implementations, which is also mostly independent of the
kernel version.
Based on v1.2.2, I have started porting RSBAC to kernel 2.6.0. LSM hooks will
be used where they are useful. However, the registered LSM functions will be
simple translations into the RSBAC abstraction, thus introducing another code
layer.
The port is far from finished, so I cannot yet tell how many LSM hooks can be
used and how many are missing for RSBAC. If only few are missing, I will try
to get them included into LSM. In any case, there will be some patch places
left for init, mount notifications, secure delete, RSBAC data file lookup (in
protected rsbac.dat dirs) etc.
If the LSM extra layer does not help much, RSBAC might not use it at all to
keep its code cleaner and maybe a bit faster. I just cannot tell now, so I
will first try it out. LSM will NOT be used in 2.4 kernels, because it is not
part of the official tree, and there is no LSM patch for 2.2 kernels.
Please do not forget that most of the RSBAC code (everything in the tar
balls) is shared for all kernel versions from 2.2, 2.4 and 2.6 series, with a
bunch of #if's at all the places where the kernel interfaces have changed
once again.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list