On Wed, 2011-03-23 at 09:10 +0800, Yao wrote: > Maybe I should explain. We think kernel is untrusted, ss is trusted. > we protect the security server through gerenating a separate address > space. When we need to use ss, we switch to this space. If untrusted > kernel code can be executed, what we do became meaningless. That's why > we want the ss self-contained. And our work should apply to flask > architecture, that's why we chose selinux. > Is it possible to fulill my goal without modifying ss excessively? The kernel has to be trusted - it runs in ring 0. And the security server is just a policy engine - it just provides policy decisions to the kernel upon request. The kernel performs the policy enforcement of those decisions. In Fluke/Flask, the security server ran in userspace, but that was a microkernel-based OS. And even there, we weren't trying to protect the security server from the (micro)kernel. It doesn't make sense to try to protect the security server apart from the rest of the kernel. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
