Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds On Pluggable Security Models

Posted by kdawson on from the plain-speaking dept.

eldavojohn writes "The KernelTrap highlights an interesting discussion on pluggable security models including some commentary by Linus Torvalds. While Torvalds argued against pluggable schedulers, he's all for pluggable security. Other members were voicing concerns with the pluggable nature of the Linux Security Model, but Torvalds put his foot down and said it stays. When asked why his stance was different between schedulers and security, he replied, 'Schedulers can be objectively tested. There's this thing called 'performance,' that can generally be quantified on a load basis. Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is hard science. The other one is people wanking around with their opinions.'"

8 of 216 comments (clear)

  1. wanking around by Anonymous Coward · · Score: 5, Funny

    I've been wanking around with pluggable opinions for years, and I turned out okay.

  2. Re:Spot on Torvalds... by Solra+Bizna · · Score: 5, Insightful

    Yeah, because modularizing the scheduler doesn't have any performance or implementation or maintainance or QA problems.

    -:sigma.SB

    --
    WARN
    THERE IS ANOTHER SYSTEM
  3. What about by sokoban · · Score: 5, Funny

    That hot chick on Television who asks if I have worms, and sells antivirus software. That's one pluggable security model right there.

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is the magic number.
  4. If you read all of it ... by golodh · · Score: 5, Informative
    Perhaps if people read all of Linux's email they would be more understanding and less quick to condemn him.

    His complete email reads:

    Schedulers can be objectively tested. There's this thing called "performance", that can generally be quantified on a load basis.

    Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.

    So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".

    If you guys had been able to argue on hard data and be in agreement, LSM wouldn't have been needed in the first place.

    BUT THAT WAS NOT THE CASE.

    And perhaps more importantly:

    BUT THAT IS *STILL* NOT THE CASE!

    Sorry for the shouting, but I'm serious about this.

    Al I alone in thinking that Linux basically says:

    "Look I'm no security expert, and I'd be happy to follow your collective expert guidance if only:

    (a) you could quantify what you're saying and turn it into engineering instead of a religious argument

    (b) the lot of you could agree on *one* set of guidelines/features as being best all-around

    Unfortunately it appears you can't do either. That being so, I'm not going to burn my fingers and blindly choose one security boondoggle over all the others. I'll just make them pluggable so that every one of you can have his own personal security system. End of discussion. Now go away and be happy."

  5. Re:Well by rumblin'rabbit · · Score: 5, Insightful

    I've used lots of software that was arrogant and clueless. Hell, I've written software that was arrogant and clueless.

  6. Re:Spot on Torvalds... by RedWizzard · · Score: 5, Informative

    So, no, security folks are not "wanking around" as some specific asshole seems to claim, they are using the best tools available to evaluate adequacy of different security solutions. Those that do not get this are not getting what security is about and what the state of the art is. These people should better stay far away from security-relevant decisions and let people that at least understand present technology in that area make the decisions. If you actually read the article instead of just reacting to the sensationalist quote you'd know that this is exactly what Linus is saying. Security people don't agree and he is not qualified to make a decision so modularization needs to stay. In the case of the scheduler he feels he is qualified to make decisions and has done so. However he does bemoan the fact that the arguments presented by the security experts often don't make a lot of sense. This is where the "wanking around" quote comes from.
  7. Re:Well by deek · · Score: 5, Insightful

    No. Linux is not convincing. He is arrogant and more and more clueless. Unfortunately people seem to be so in awe of him, that allmost nobody is willing to tell him that he has he is "wanking around" about a lot of things he obviously does not really understand.


    You're not being very convincing either. You call Linus all sorts of things, without actually saying specifically why you think he is arrogant, clueless, and has no understanding. I'm open to the idea that he may be, but your post certainly does nothing to convince me of it.

    At least Linus has specifically stated why he thinks security guys are "wanking around". It's because security people state that "only my version is correct", when they don't quantify exactly why this is the case. That certainly meets my criteria for "wanking around". Linus appears to have made a good judgement call.
  8. Re:Well by Daishiman · · Score: 5, Insightful

    There is no security model that's better than others for all cases. They're all tradeoffs between convenience and security at the user level, and no, a security model is not quantifiable, as the amount of variation between specifications is mindboggling. Do you know the difference between RBAC, RAS, SELinux, AppArmor? Between the dozens of different and incompatible security systems used in AIX, Solaris, i5/OS, QNX, z/OS, and VMS? They all have their places, they all have their own advantages and disadvantages. Security doesn't stop with setting the "sticky bit".

    But most importantly, security models are not CPU-intensive. Even the most demanding model will check file access permissions once in a blue moon in comparison to a scheduler. Schedulers store and use differnt information in very different ways which makes it difficult to make a generic framework that will support every possible datum they might need without making a significant impact on performance (it's a piece of code called thousands of times a second, performing rather complex computations).

    Besides, it doesn't mean that Linux doesn't have several schedulers. It does, but they're kept under different branches, and they're sufficiently tunable to meet all your usual requirements, and CFS is a sufficiently superior alternative with the right stuff to warrant its maintenance in the mainline.