Chris Wright <[email protected]> wrote on 06/15/2005 05:53:01 PM:
> * [email protected] ([email protected]) wrote:
> > Quoting Chris Wright ([email protected]):
> > > The primary purpose of the hooks is access control. Some of them, of
> > > course, are helpers to keep labels coherent. IIRC, James objected
> > > because the measurement data was simply collected from these hooks.
> >
> > Ok, so to be clear, any module which does not directly impose some form
> > of access control is not eligible for an LSM?
>
> That's exactly the intention, yes.
Chris,
Access control is a very broad term. Before I go into details, I would
like to make clear that I do not have a preference for or against LSM. We
are working hard to make the functionality available and it does not
matter to the user where IMA will be located. The true potential of
Trusted Computing will only show with experimenting going on outside
the research labs. IMA can help by being one modest building block
for experiments only if it is broadly available.
Regarding the access control discussion, one can map (almost) anything
onto access control. There are (many) people that teach today that the
whole security issue is about access control. The question is:
controlling access of whom to what?
IMA does control access by forcing measurements on executables
before they are loaded. Access control is more than saying yes or no at
some point on the code path. IMA enables remote parties to figure out
whether a system has some (usage dependent) properties. This can serve as
the basis for controlling such systems' access to resources. IMA supplies
input into a remote Access Control Decision Function.
These properties neither justify IMA to be excluded as LSM, nor force IMA
to be an LSM.
> thanks,
> -chris
Thanks
Reiner
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]