Torvalds On Pluggable Security Models 216
eldavojohn writes "The KernelTrap highlights an interesting discussion on pluggable security models including some commentary by Linus Torvalds. While Torvalds argued against pluggable schedulers, he's all for pluggable security. Other members were voicing concerns with the pluggable nature of the Linux Security Model, but Torvalds put his foot down and said it stays. When asked why his stance was different between schedulers and security, he replied, 'Schedulers can be objectively tested. There's this thing called 'performance,' that can generally be quantified on a load basis. Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is hard science. The other one is people wanking around with their opinions.'"
Spot on Torvalds... (Score:4, Insightful)
If not, an artificial limit onto the integrity of the system would be created. Sure SELinux is a viable option, but why should we think it is the best ?
Re:Awesome (Score:3, Insightful)
Re:Spot on Torvalds... (Score:5, Insightful)
So, no, security folks are not "wanking around" as some specific asshole seems to claim, they are using the best tools available to evaluate adequacy of different security solutions. Those that do not get this are not getting what security is about and what the state of the art is. These people should better stay far away from security-relevant decisions and let people that at least understand present technology in that area make the decisions.
Re:Spot on Torvalds... (Score:2, Insightful)
Re:Well (Score:1, Insightful)
Re:Spot on Torvalds... (Score:5, Insightful)
Yeah, because modularizing the scheduler doesn't have any performance or implementation or maintainance or QA problems.
-:sigma.SB
So we can quantify scheduling performance? (Score:5, Insightful)
If we don't keep scheduling modular, an artificial limit on the performance of the system will be created. Sure, CFS is a viable option, but why should we think it is the best ?
What's more, "wanking around with your settings" has often been what Linux has always been about. Ubuntu never uses chroot in a normal situation; does that mean it should be taken out? My GUI and hotplug utilities can automount anything I plug in; should
We haven't used anything but ELF for probably 5-10 years, yet, last I checked, a.out is still supported.
Why should the system be made non-modular?
Re:Spot on Torvalds... (Score:3, Insightful)
The best of present technology is modular to a certain extent, from a micro and macro perspective of system or network. Why implement a non-defacto standard of secure by including it in the kernel?
I've run SELinux, and I know that James Morris isn't stating he wants that exact implementation only, but he says choose one. How do we quantify that or any assertion and make an informed decision going forward knowing that there possibly is a more secure path to follow?
Re:Well (Score:5, Insightful)
Re:So we can quantify scheduling performance? (Score:5, Insightful)
Re:Spot on Torvalds... (Score:5, Insightful)
Re:Spot on Torvalds... (Score:3, Insightful)
Re:Well (Score:5, Insightful)
You're not being very convincing either. You call Linus all sorts of things, without actually saying specifically why you think he is arrogant, clueless, and has no understanding. I'm open to the idea that he may be, but your post certainly does nothing to convince me of it.
At least Linus has specifically stated why he thinks security guys are "wanking around". It's because security people state that "only my version is correct", when they don't quantify exactly why this is the case. That certainly meets my criteria for "wanking around". Linus appears to have made a good judgement call.
Scheduler vs Security Plugins (Score:3, Insightful)
As for the Linux scheduler, I wouldn't mind a choice in desktop vs server tweak settings in (a)
Enjoy,
Re:Well (Score:5, Insightful)
There is no security model that's better than others for all cases. They're all tradeoffs between convenience and security at the user level, and no, a security model is not quantifiable, as the amount of variation between specifications is mindboggling. Do you know the difference between RBAC, RAS, SELinux, AppArmor? Between the dozens of different and incompatible security systems used in AIX, Solaris, i5/OS, QNX, z/OS, and VMS? They all have their places, they all have their own advantages and disadvantages. Security doesn't stop with setting the "sticky bit".
But most importantly, security models are not CPU-intensive. Even the most demanding model will check file access permissions once in a blue moon in comparison to a scheduler. Schedulers store and use differnt information in very different ways which makes it difficult to make a generic framework that will support every possible datum they might need without making a significant impact on performance (it's a piece of code called thousands of times a second, performing rather complex computations).
Besides, it doesn't mean that Linux doesn't have several schedulers. It does, but they're kept under different branches, and they're sufficiently tunable to meet all your usual requirements, and CFS is a sufficiently superior alternative with the right stuff to warrant its maintenance in the mainline.
Re:like object oriented? (Score:5, Insightful)
At some point, you have to deal with the fact that there is going to be some overhead in dealing with an object-oriented approach. Even if the significance is near 0, the scheduler is pushing operations on the CPU on an incredibly large scale, which might show its ugly face in performance. IMHO, it wouldn't, but I guess Linus knows better than I...
Anyway, there is this great site called the Linux Kernel Archives [kernel.org], which has the source code for every version of the Linux kernel ever put out. If somebody was really serious about using their own CPU scheduler, all they have to do is take the latest version of the kernel, download the source code and modify sched.c to fit their needs. Even if it isn't object-oriented, that doesn't change the fact that everything else in the kernel only cares that default_wake_function tries to wake up a thread - it doesn't matter how it works on the inside. All the other parts know about is the sched.h header file.
Sure, it isn't on-the-fly pluggable, but different distributions could easily use different schedulers if they simply compile the kernel. A distribution could make a sched.c that is pluggable (it would have an interesting look to it, but it could be done). I wouldn't want to debug it, but for all this complaining, you'd think somebody would do something about it.
Re:Ahem (Score:5, Insightful)
Pidgin (Score:3, Insightful)
Pidgin is an instant messaging program for Windows, Linux, BSD, and other Unixes.
How is a shortcoming of this software a shortcoming of Linux? You may be right to say there is no combined im/VOIP/video conferencing suites for Linux. Sounds strange to me, though. Perhaps you can make a feature request for Pidgin.
Re:Well (Score:5, Insightful)
Security is a process. You make the effort needed to crack or crash a system beyond the value to the attacker, and they won't attack.
There's simply no need of SELinux in a coffee pot or an MP3 player. It's overkill. Linus is concerned with all the targets of the kernel, and not just the Sewper Seekret Survur next to the dresser in some kid's room.
Now _you_ might be using Linux to keep millions of credit card numbers or to process satellite intelligence for some national government, but that's not what everyone does with it. So long as there are reasons to focus more or less on security and different needs among those focusing on it, pluggable security models make sense.
For the vast majority of Linux targets, SELinux in particular is probably overkill. The scheduler effects everyone. If your main goal is security at all costs, use SELinux (it's not hard) or use OpenBSD instead of Linux.