[rsbac] RSBAC vs. LSM / SELinux in 2.6.0-test

Amon Ott ao at rsbac.org
Mon Sep 1 11:14:05 MEST 2003 

On Sunday, 31. August 2003 19:45, Peter Busser wrote:
> At this moment there is a situation where the RSBAC patch and the Linux
> Security Modules patch bite each other. Trying to force both in the 2.4 
kernel
> is like going into a patching hell. It is simply not worth it.
> 
> For 2.6, you have LSM and the SE Linux module (which is only part of SE 
Linux
> I think, the biggest part resides in userland). And I have no idea how the 
2.6
> port of RSBAC is going to work (maybe Amon can comment on that?).
 
If the LSM and SELinux stubs are in the kernel, they will not clash with 
RSBAC during patch - the RSBAC patch will be against the official tree in any 
case, with or without SELinux.


Based on this current discussion, I will express some of my thoughts about 
LSM / SELinux vs. RSBAC.

As far as I am concerned, some important problems in the LSM design (only 
partly solved by SELinux) are that

- it not by itself allows to register several functions at the same stub, so 
modules have to implement a stacking and Meta decision algorithm by 
themselves. There is a stacker helper module, but this does not seem to be 
included by default.

- it is *very* low level, exporting and exposing kernel internal data 
structures directly to the registered functions and without any abstraction. 
You will have to #ifdef for the kernel version inside these functions, 
bringing back the kernel version dependency which had been one goal to avoid 
and which is mostly avoided in the RSBAC framework.
(I remember Steven Smallay arguing that RSBAC's exposing only *some* of these 
structures without accessing them in the decisions was real bad.)

- there is no generic syscall interface for administration. The once existing 
sys_security has even been removed (!), because you can reimplement all 
administration logic with pseudo files in /proc or a separate filesystem 
(like SELinux does), thus getting back to file access control lying in the 
way. Such a, quite SELinux specific, interface is in /proc/pid/attr to read 
process attributes, see recent dicussion at the LSM list with Philippe Biondi 
of LIDS.
There had been long discussions why one more syscall added to over far over 
200 would not be acceptable to keep, correct me if I got the focus wrong.

- LSM does not have an infrastructure for attribute management. Each module 
still has to reinvent the wheel for subject and object attributes, not even 
talking of persistent storage. The only thing available is a void pointer at 
the most important (kernel version specific) structures, which, again, has to 
be shared by all registered modules (!).

- the post calls (notification calls in RSBAC) are rare, although they should 
have been there in most cases, and at least partly miss the original 
arguments to the controlled functions. This can be mended in later LSM 
versions, though - with another bunch of #ifdefs for the LSM version...

Please do not get the idea that I disagree with all the work done for LSM. It 
is just that in my opinion an access control framework for Linux should look 
very different. My limited amount of time (I do not get paid for RSBAC 
development) forbid to closely follow the LSM implementation, so I refrained 
from arguing around after stating my general opinion.

The big LSM problem was to be accepted by the main stream kernel, which more 
focused on functionality and speed than well designed security. The LSM team 
decided to take what they could get despite the disadvantages, and so far I 
have decided to do what I believed to be better design, even it it would 
never be part of the official kernel.

SELinux is so deeply integrated with LSM, that they even had to remove some 
network access control, which they previously believed to be necessary.

I am not going to remove anything from RSBAC believed to be important, unless 
there is a very good reason for it. Some extensions are impossible with LSM 
by design, e.g. the partial tree Linux DAC disabling, the symlink redirection 
or the secure delete functionality. This means that there will be an RSBAC 
patch for a long time to go, it will only become slightly smaller by moving 
some functionalily from the patch to the registered LSM functions.

So far, I have not decided wether to provide LSM stacking logic in RSBAC, 
this might come later. A restricted, LSM-only RSBAC version looks quite 
unlikely for the near future, because too many important interfaces are 
missing. The final picture will come after I finished the port.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list