Linux Today: Linux News On Internet Time.

Crispin Cowan: Linux Security Module Interface

Apr 12, 2001, 22:13 (2 Talkback[s])
Date:         Tue, 10 Apr 2001 17:04:12 -0700
From: Crispin Cowan <crispin@WIREX.COM>
Organization: WireX Communications, Inc.
Subject:      Linux Security Module Interface

One of the byproducts of the Linux 2.5 Kernel Summit http://lwn.net/2001/features/KernelSummit/ was the notion of an enhancement of the loadable kernel module interface to facilitate security-oriented kernel modules. The purpose is to ease the tension between folks (such as Immunix and SELinux) who want to add substantial security capabilities to the kernel, and other folks who want to minimize kernel bloat & have no use for such security extensions.

Modules that can be loaded, or not, are the obvious solution, but the current LKM does not export sufficient hooks to support many security mechanisms. Thus many current security enhancements end up existing as kernel patches, which marginalizes their utility by making distribution problematic. The proposed solution is to enhance the LKM with a variety of new kernel elements exported to the module interface, so as to support a reasonable variety of security enhancements.

We have started a new mailing list called linux-security-module. The charter is to design, implement, and maintain suitable enhancements to the LKM to support a reasonable set of security enhancement packages. The prototypical module to be produced would be to port the POSIX Privs code out of the kernel and make it a module. An essential part of this project will be that the resulting work is acceptable for the mainline Linux kernel.

The list is open to all. You can subscribe here http://mail.wirex.com/mailman/listinfo/linux-security-module or by sending e-mail to linux-security-module-request@wirex.com with a subject of "subscribe".


Crispin Cowan, Ph.D.

Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org