Re: The disappearing sys_call_table export.

Mike Touloumtzis (miket@bluemug.com)
Wed, 14 May 2003 13:58:47 -0700


On Wed, May 14, 2003 at 06:34:30AM -0400, Ahmed Masud wrote:
>
> Level of security is a matter of trust. Should the kernel trust a
> distribution provider? No, that is not a reasonable request, because we do
> not control their environment and evaluation proceedures and there are no
> guarentees between the channel that provides the operating system to the
> time it gets installed on a system.

I don't understand why people are willing to base security arguments
on some sort of bizarre adversarial relationship between the kernel and
the system tools.

No Unix (even a "secure" one) is designed to run all security-critical
code in the kernel. That would be a bad design anyway, since it would
run lots of code at an unwarranted privilege level. "login" is not
part of the kernel. "su" is not part of the kernel". The boot loader
is not part of the kernel. And so on.

There is no issue of "trust" between the kernel and the distribution
provider. The distribution provider provides a system, which (like all
Unix-derived systems) is modular and thus has multiple independent
components with security functions. The sum of those parts is what you
should evaluate for security. Yes, the system should include proper
isolation mechanisms to prevent improper privilege escalations. But it
doesn't make sense to even think about what the kernel should do when
the untrusted distribution provides a malicious "/sbin/init".

miket
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/