Slashdot Mirror
Torvalds On Pluggable Security Models
eldavojohn writes "The KernelTrap highlights an interesting discussion on pluggable security models including some commentary by Linus Torvalds. While Torvalds argued against pluggable schedulers, he's all for pluggable security. Other members were voicing concerns with the pluggable nature of the Linux Security Model, but Torvalds put his foot down and said it stays. When asked why his stance was different between schedulers and security, he replied, 'Schedulers can be objectively tested. There's this thing called 'performance,' that can generally be quantified on a load basis. Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is hard science. The other one is people wanking around with their opinions.'"
He's right.
I've been wanking around with pluggable opinions for years, and I turned out okay.
I'll subscribe to Slashdot when I see a month without a dupe, a typo, or an article the "editors" didn't read.
Secretly, Linus Torvalds and Richard M. Stallman have become married under the control of manwitch Eric S. Raymond. Quick, run away from the GNU!
Linux is dying! Eric S. Raymond confirms it!
If not, an artificial limit onto the integrity of the system would be created. Sure SELinux is a viable option, but why should we think it is the best ?
Walk with Music;
... but what would happen if you forgot to "plug in" a scheduler?
Back to single tasking ala DOS?
Being able to choose which (if any) security module to plug in seems to make a lot more sense.
"But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is hard science. The other one is people wanking around with their opinions"
Thanks Linus, that cracked me up. I've always felt that way about a lot of the stuff the security guys do. I'm gonna forward that to our local security guys and see what they think!
I am government man, come from the government. The government has sent me. -- G.I.R.
If I came up with a benchmark to quantify security policies, would he:
A. Change his mind and make security policies not pluggable?
B. Keep security policies pluggable, but add support for pluggable schedulers to be consistent?
C. Not change his mind, because this is just a wanker's rationalization anyway?
Oh? So the debate between responsivity and throughput has finally been resolved? And we have a perfect algorithm for assigning dedicated CPUs for staged pipeline-parallel programming?
Linus may have strong opinions, but as an OS guy he should know better.
It sure does like an object oriented approach. If the scheduler and other 'components' can be made pluggable, then it eases up the tasks of many. Developers can focus on 1 aspect of the OS, while the core kernel is just there to 'receive' the 'plugin'. How does it differ from the current approach? Are there too 'components' dependent on each other?
Do I require the c-sig package to have a signature?
What makes him so big that he thinks he should control Linux? Just because his first name is the same?
please type the word in this image: frontal [lobotomy???]
I think Linus may want to think hard about creating a distinction there.
``...the subjectivist states his judgments, whereas the objectivist sweeps them under the carpet by calling assumptions knowledge, and he basks in the glorious objectivity of science.'' - I.J. Good
"oohhh... I didn't know Schopenhauer was a philosopher!"
Doesn't Teh Lunis understand what Teh FOSS is all about? It's ALL about wanking around with your opinion. Oh, and it's all about choice (meaning, any choice except Teh MiKKKro$$$oft).
Who could have imagined Teh Lunis just doesn't get it? Teh Stallman gets it, so why doesn't Teh Lunis?
I wasn't aware we'd completely solved problems of responsiveness vs throughput, or of normal vs soft realtime vs hard realtime.
/etc/fstab be removed?
If we don't keep scheduling modular, an artificial limit on the performance of the system will be created. Sure, CFS is a viable option, but why should we think it is the best ?
What's more, "wanking around with your settings" has often been what Linux has always been about. Ubuntu never uses chroot in a normal situation; does that mean it should be taken out? My GUI and hotplug utilities can automount anything I plug in; should
We haven't used anything but ELF for probably 5-10 years, yet, last I checked, a.out is still supported.
Why should the system be made non-modular?
Don't thank God, thank a doctor!
The moment I saw the word "scheduler".
Damn I'm sick of scheduler FUD. It makes its way into every single linux conversation now, now matter how unrelated.
Just disrupt the deflector shield with a tachyon burst.
I'm sure most people that use linux are familiar with "wanking".
That hot chick on Television who asks if I have worms, and sells antivirus software. That's one pluggable security model right there.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is the magic number.
c'mon - this is open source.
why not have both? linux-smack and linux-selinux could co-exist. fork the kernel and find some people to maintain an selinux fork - there has to be some out there if there's front-page worthy drama going on...
How's THAT for a pluggable security model?!
(yeah i rtfa'ed... lulz)
"Wanking" is rough-slang English from England, and means 'masturbating'. But Torvalds sure ain't one of us.
His complete email reads:
Schedulers can be objectively tested. There's this thing called "performance", that can generally be quantified on a load basis.
Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.
So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".
If you guys had been able to argue on hard data and be in agreement, LSM wouldn't have been needed in the first place.
BUT THAT WAS NOT THE CASE.
And perhaps more importantly:
BUT THAT IS *STILL* NOT THE CASE!
Sorry for the shouting, but I'm serious about this.
Al I alone in thinking that Linux basically says:
"Look I'm no security expert, and I'd be happy to follow your collective expert guidance if only:
(a) you could quantify what you're saying and turn it into engineering instead of a religious argument
(b) the lot of you could agree on *one* set of guidelines/features as being best all-around
Unfortunately it appears you can't do either. That being so, I'm not going to burn my fingers and blindly choose one security boondoggle over all the others. I'll just make them pluggable so that every one of you can have his own personal security system. End of discussion. Now go away and be happy."
Yes, one is hard science, and the other one is people wanking around with their opinions. Specifically, the security one is hard science, while the scheduler is the wanking.
I agree with hard science. Here's some more hard science:
The kernel kicks ass.
We need better apps for Linux.
I can't videoconference, edit videos, make mp3s, play video games or make a slideshow in Linux. How about a couple of kernel devs drop off and help Linux go the last mile.
rhY
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
I mean, Theo's the security guy, right? I'm sure Linus would have no problem whatsoever agreeing to abide by his decision...
Who died and made Linus captain of the anti-wanker task force?
Freedom is free.
How can you trust that guy if he came here to steal all those American jerbs?
Just think how many were laid off at Microsoft alone?
Obama likes poor people so much, he wants to make more of them.
I am with Linus on this one. For the life of me I can't understand what this sucking up to RMS is about. Linus himself does not think GPLv3 is a good thing. So why do people keep adopting it.
Without Linus FOSS is tossed. Not following Linus is dangerous for the survival of FOSS.
Bugger off, ya bloody, spastic, wanker. Outside of England, all your sodding curse words arse [sic] just +funny to everyone else. So stop trying to shag the language everybody else uses -- that's just naff. Did I mention you're cheeky shite-bunging monkey. Oh yeah, and Bob's your uncle! Cheerio!
Computer security isn't hard science? Someone should point Linus to the Orange Book or the Common Criteria.
This post expresses my opinion, not that of my employer. And yes, IAAL.
Correct me if I'm wrong, wouldn't a security plugin have to be authenticated? That would add a couple of extra layers not required for a scheduler. A "Rock Solid" built in security scheme might be better (Unlike the Windows address relocation method). Linus is correct in the fact that there is a new security method every week. Whats the correct one to choose?
/proc/sys/scheduler (if it existed). RedHat, Ubuntu, SuSE, etc. could set the defaults based on user selection at install (Work Station vs Server).
As for the Linux scheduler, I wouldn't mind a choice in desktop vs server tweak settings in (a)
Enjoy,
It's just the normal noises in here.
Yay for creative grammar... I apologize to anyone else who caught that. Preview is not my friend today :(
Don't thank God, thank a doctor!
...don't pay attention to Linus when he's not talking about the specific set of topics he's an expert in (kernels, version control, project management, etc).
(PS: doesn't the idea of "pluggable security models" make you a little nervous? Shouldn't those be a little more tightly bound to the OS?)
exactly my thoughts.
Who cares?
I knew my karma would get kicked in the teeth over this, but seriously, why can't I just right click on a Pidgin buddy and instantly h.264 and speex to a buddy online? Linux needs to "just work" out of the box, and it still needs a LOT of polish.
rhY
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
Even if he is right, this is just more proof that socialists really are dictator types who want to decide for others.
Actually, that would be a security 'hole' now, wouldn't it?
I think there's some real irony here. Linus says that scheduling performance is "hard science" therefore it is easy to make a decision. But he did not make his scheduler decision based on "hard science" he based it on personal preference.
Because LSM is compiled and enabled in the kernel, its symbols are exported. Thus, every rootkit and backdoor writer will have every hook he ever wanted in the kernel. This will allow for a new generation of sophisticated backdoors and rootkits that will be nearly impossible to detect.
http://www.grsecurity.net/lsm.php
what you need to know in order to complete the goal. Security needs to know the authenticity of a process and its actions taken in the context of the system (so syscalls, files and memory access pretty much cover the lot). What do you need for scheduling? A lot more difficult to think of.
If you're going to think of a pluggable architecture you have limited access to what is available in the entire system (because you need to specify an API which necessarily limits what you can ask for). In the case of security, this doesn't block out much in the way of security options. The space of what you need is very limited in any case. When it comes to scheduling, if you don't put in an API to retrieve memory churn, then you cannot use that to decide whether it should take longer less often when running. You've now defined what scheduling metrics you can get and the poor definition of what you need to get means you've pre-defined your scheduler.
If you just say "write the kernel to spec your required scheduler" you have much more leeway in supplying the right information for the scheduler you are implementing. you don't care if another scheduler will need to know X because you aren't implementing it.
Mind you, as far as the whole "wanking" statement, I would suggest that Linus' takes on the political aspect of licensing is him wanking about something he knows nothing about yet doesn't want someone else deciding for him.
Perhaps it's time to update my CV.
Linus Torvalds lecturing other people on wanking with their opinions. That's almost as funny as George Bush talking about education and literacy.
He has an opinion that nobody needs to know about legal things. However, he doesn't want to leave it as "no opinion" so he goes off wanking about his opinion that only applies to what he wants to do with the kernel, NOT about what others want to do with their code.
Actually, this tells me he doesn't understand one or the other. The only difference between scheduling and security numbers is how you measure. Security can be measured too, if you know what you're measuring -- number of attackers who gain access, number of attacks detected, compromises detected, etc. It's just the same in scheduling -- you can measure scheduling IF you know what you're measuring: realtime desktop performance, IO performance, etc. But similar conflicts arise in both: realtime latency vs. maximum IO bandwidth; hackers prevented from accessing a secure system vs. legitimate users locked out, etc.
...that you changed Linus Torvalds' name to Linux.
Never having used that software, I had a look at http://www.pidgin.im/about/. It says
Pidgin is an instant messaging program for Windows, Linux, BSD, and other Unixes.
How is a shortcoming of this software a shortcoming of Linux? You may be right to say there is no combined im/VOIP/video conferencing suites for Linux. Sounds strange to me, though. Perhaps you can make a feature request for Pidgin.
I'm sorry if I haven't offended anyone
Bigger is better.
You know, the more I read about Linus and come across his statements, whether others agree with him or not, I do like his frankness.
Bacchus has drowned more men then Neptune.
a 'hole'?why i'm suddenly like not gud feeling bout it..foget it,let's be on right path now.
From a diversity point of view, its better to have a pluggable security architecture, in the event an application and security architecture was able to be compromised it might be limited to that distro (ie. Redhat = SELinux, Ubuntu = AppArmour).
"What I thought I'd do was I'd pretend I was one of those deaf-mutes."
Prove it. Hold on didn't someone say the lack of empirical evidence is the whole basis of the problem and Linus argument?
He's convincing to server obsessed performance mavens. Desktop users don't get a look in.
XML is like violence. If it doesn't solve the problem, use more.