Torvalds On Pluggable Security Models

eldavojohn writes "The KernelTrap highlights an interesting discussion on pluggable security models including some commentary by Linus Torvalds. While Torvalds argued against pluggable schedulers, he's all for pluggable security. Other members were voicing concerns with the pluggable nature of the Linux Security Model, but Torvalds put his foot down and said it stays. When asked why his stance was different between schedulers and security, he replied, 'Schedulers can be objectively tested. There's this thing called 'performance,' that can generally be quantified on a load basis. Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is hard science. The other one is people wanking around with their opinions.'"

If you read all of it ...

[golodh]

Perhaps if people read all of Linux's email they would be more understanding and less quick to condemn him.

His complete email reads:

Schedulers can be objectively tested. There's this thing called "performance", that can generally be quantified on a load basis.

Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.

So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".

If you guys had been able to argue on hard data and be in agreement, LSM wouldn't have been needed in the first place.

BUT THAT WAS NOT THE CASE.

And perhaps more importantly:

BUT THAT IS *STILL* NOT THE CASE!

Sorry for the shouting, but I'm serious about this.

Al I alone in thinking that Linux basically says:

"Look I'm no security expert, and I'd be happy to follow your collective expert guidance if only:

(a) you could quantify what you're saying and turn it into engineering instead of a religious argument

(b) the lot of you could agree on *one* set of guidelines/features as being best all-around

Unfortunately it appears you can't do either. That being so, I'm not going to burn my fingers and blindly choose one security boondoggle over all the others. I'll just make them pluggable so that every one of you can have his own personal security system. End of discussion. Now go away and be happy."

Re:Spot on Torvalds...

[fimbulvetr]

You're right, AFAICT, but you've missed the emphasis on "more" code. From what I've read, the scheduler's tentacles touch just about every portion of vital linux code and making something "pluggable" on the order of this would require an enormous amount of effort - effort that would be pointless for all but very small minorities that can apply a patch easily.

Indeed, it's also been showing (RTFML) that scheduler improvements are mostly trivial and generally don't warrant such an effort.

Finally, one must consider that the enormous amount of bugs being introduced by touching so many different areas and applying different algorithms in different cases.

Maybe this is something for consideration with the 3.x branch (Of which Linus has no intention of making), but it seems like a reasonable decision so far given the data.

Re:Spot on Torvalds...

[RedWizzard]

So, no, security folks are not "wanking around" as some specific asshole seems to claim, they are using the best tools available to evaluate adequacy of different security solutions. Those that do not get this are not getting what security is about and what the state of the art is. These people should better stay far away from security-relevant decisions and let people that at least understand present technology in that area make the decisions.

If you actually read the article instead of just reacting to the sensationalist quote you'd know that this is exactly what Linus is saying. Security people don't agree and he is not qualified to make a decision so modularization needs to stay. In the case of the scheduler he feels he is qualified to make decisions and has done so. However he does bemoan the fact that the arguments presented by the security experts often don't make a lot of sense. This is where the "wanking around" quote comes from.

Re:So we can quantify scheduling performance?

[mrwolf007]

I wasn't aware we'd completely solved problems of responsiveness vs throughput, or of normal vs soft realtime vs hard realtime.

Hard realtime usually implies severe perfomance penalties. People who really need something like that probably dont use a vanilla kernel.

If we don't keep scheduling modular, an artificial limit on the performance of the system will be created. Sure, CFS is a viable option, but why should we think it is the best ?

Torvalds usually doesnt care about something being the best. Its supposed to be good enough.
Using the word best requires you to say for what, otherwise you might as well use a word such as coolest, most geeky, most whatsoever.
Since Torvalds usually cares a lot about efficiency i guess that a plugable scheduler would be less performant.

Re:Good.

[NullProg]

I can't videoconference, edit videos, make mp3s, play video games or make a slideshow in Linux. How about a couple of kernel devs drop off and help Linux go the last mile.

Other than video conferencing (haven't tried), my wife and 13 year old son can do everything on your list (using SuSE, Fedora or Ubuntu).

Shouldn't you be posting questions to http://www.linuxquestions.org/ [linuxquestions.org] or http://www.justlinux.com/ [justlinux.com] ?
You wont get a RTFM response.

Slashdot isn't a Linux help forum.

Enjoy,

Re:Well

[QuantumG]

Linux is a kernel.
Linus is an asshole.

Ahem

[deblau]

Computer security isn't hard science? Someone should point Linus to the Orange Book [wikipedia.org] or the Common Criteria [wikipedia.org].

Re:Spot on Torvalds...

[fabs64]

Did you even read the freakin discussion? The whole thing was about whether security should be modular, linus was arguing that it should stay modular, someone else was arguing that it should not and cited the scheduler as an example of linus preferring a singular option.

Re:Scheduler vs Security Plugins

[Anonymous Coward]

Correct me if I'm wrong, wouldn't a security plugin have to be authenticated?

You're wrong, it doesn't need to be authenticated in the way you're inferring.

Only root can load new kernel modules, so you'd have to have the highest permissions to load a new security module into the kernel at runtime.

The integrity of the security module binary would of course depend on your distribution and how you receive new updates over the internet, as well as the security of your file system (permissions should be correctly setup on your filesystem).

Having signed security modules is possible (but is optional, completely isolated and redundant in most cases). This isn't Windows where you are forced to have signed kernel modules/drivers while attackers can work around your security in other ways (patching the binary on your system which does code signing validation, adding new rogue certificates to your certificate store, etc).

Re:Bring deRaadt in for a consult

[Anonymous Coward]

Last week there happened to be a discussion on the OpenBSD mailing list about SELinux. See http://marc.info/?l=openbsd-misc&m=119047563000795&w=2/ [marc.info]

irony

[cycoj]

I think there's some real irony here. Linus says that scheduling performance is "hard science" therefore it is easy to make a decision. But he did not make his scheduler decision based on "hard science" he based it on personal preference.

Re:Well

[DrXym]

Linus is an asshole.

To some perhaps. To others he's just an effective team leader who makes decisions to focus efforts. The alternative is usually a lot of people flapping around like headless chickens since they don't know which way to go. Worse yet if the thing is run by an ineffective person or committee where development slows to a glacial pace because no patches are accepted or bogged down in protracted politics and debate. If you want to see what the kernel development would look like in those circumstances, look up XFree86, Emacs, Hurd etc.