I don't understand why people are willing to base security arguments
on some sort of bizarre adversarial relationship between the kernel and
the system tools.
No Unix (even a "secure" one) is designed to run all security-critical
code in the kernel. That would be a bad design anyway, since it would
run lots of code at an unwarranted privilege level. "login" is not
part of the kernel. "su" is not part of the kernel". The boot loader
is not part of the kernel. And so on.
There is no issue of "trust" between the kernel and the distribution
provider. The distribution provider provides a system, which (like all
Unix-derived systems) is modular and thus has multiple independent
components with security functions. The sum of those parts is what you
should evaluate for security. Yes, the system should include proper
isolation mechanisms to prevent improper privilege escalations. But it
doesn't make sense to even think about what the kernel should do when
the untrusted distribution provides a malicious "/sbin/init".
miket
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/