httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject Re: [PATCH 47021] A new MPM (security) and mod_selinux module
Date Thu, 23 Apr 2009 01:10:48 GMT
KaiGai Kohei wrote:
> Folks,
> 
> Now we have a few approaches to support SELinux.
> Which is the preferable to get upstreamed?
> 
> 1. The idea of mpm_security
>  It spawns a new process for each connections. It gives third-party modules
>  a chance to assign appropriate privileges prior to invocations of the handler.
>  MERIT:
>   - It can be a good news for other modules which intend to do similar things
>     such as virtual-host level privileges and so on.
> 
>  DEMERIT:
>   - It requires us to maintain an original MPM, although most of them are
>     delivered from other one (prefork?).
> 
> 2. The idea of mod_selinux
>  It overrides the process_connection hook, and spawns a new worker thread
>  (or process). The worker goes in the hook again, then the module assigns
>  an appropriate privilege prior invocation of the handler.
>  MERIT:
>   - Its code size is quite smaller than the first approach.
>     About 70 lines of code enables to spawn a one-time thread.
>     http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.c#267
> 
>  DEMERIT:
>   - Needless to say, it is not a good news for other modules.

Here, we may be able to have an idea which applies a hybrid approach.
The above two idea have both of its merit and demerit.
However, I noticed these demerits can be cancelled as follows:

3. The hybrid idea
 In this idea, we need to provide two modules.
 The one overrides the process_connection hook, and it spawns a new worker
 process for each connection. The worker process will be killed just after
 completion of the request handling, and the parent just waits for it.
 The worker process is always one-time entity, so other (security) modules
 can assign more restrictive privileges on the working context itself.
 (Because it will exit later, it has no side-effect.)
 The other module implements SELinux specific part. It can assigns more
 restrictive privileges before invocation of contents handler. Needless
 to say, it can be used for other security stuffs.

 MERIT:
 - This idea can be used for other operating system and security stuff,
   not only SELinux.
 - We can maintenance the module easier than whole of a new MPM.

Now I get believed the third hybrid idea is more preferable.
I would like to see any other opinions,

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message