Re: LSM conversion to static interface

On Thursday 18 October 2007 04:18, Linus Torvalds wrote:

quoted text

> On Wed, 17 Oct 2007, Thomas Fricaccia wrote: > > > > But then I noticed that, while the LSM would remain in existence, it was > > being closed to out-of-tree security frameworks. Yikes! Since then, > > I've been following the rush to put SMACK, TOMOYO and AppArmor > > "in-tree". > > Yeah, it did come up. Andrew, when he sent it on to me, said that the SuSE > people were ok with it (AppArmor), but I'm with you - I applied it, but > I'm also perfectly willing to unapply it if there actually are valid > out-of-tree users that people push for not merging.

The patch doesn't hurt AppArmor, but it's still a step in the wrong direction. Quoting from commit 20510f2f (Convert LSM into a static interface):

quoted text

> In a nutshell, there is no safe way to unload an LSM. The modular interface > is thus unecessary and broken infrastructure. It is used only by > out-of-tree modules, which are often binary-only, illegal, abusive of the > API and dangerous, e.g. silently re-vectoring SELinux.

This is idiotic. Just because there is no safe way to unload SELinux - doesn't mean there is no safe way to unload other LSMs: if nothing but that, unloading is handy during development. - doesn't mean that module *loading* is unsafe. The patch removes module loading as well, which hurts more than removing module unloading. LSM can be abused ... so what, this doesn't mean the interface is bad. Non-LSM loadable modules have been known to do lots of bad things, and yet nobody made them non-loadable either (yet).

quoted text

> [...] > For example, I do kind of see the point that a "real" security model might > want to be compiled-in, and not something you override from a module.

Non-trivial modules (i.e., practically everything beyond capabilities) become effective only after loading policy, anyway. If you can load policy, you can as well first load a security module without making the system insecure. Thanks, Andreas -

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Greg Kroah-Hartman	[PATCH 001/196] Chinese: Add the known_regression URI to the HOWTO
Tarkan Erimer	Re: Slow DOWN, please!!!
git:
Kevin Ballard	Re: git on MacOSX and files with decomposed utf-8 file names
Jakub Narebski	Re: VCS comparison table
David	User's mailing list? And multiple cherry pick
Ken Pratt	pack operation is thrashing my server
linux-netdev:
Gerrit Renker	[PATCH 03/37] dccp: List management for new feature negotiation
Jiri Olsa	[PATCH] net: fix race in the receive/select
Jarek Poplawski	[PATCH take 2] pkt_sched: Protect gen estimators under est_lock.
Rick Jones	Re: RFC: Nagle latency tuning
openbsd-misc:
Richard Stallman	Real men don't attack straw men
list-obsd-misc	Re: low-MHz server
Luca Corti	Re: About Xen: maybe a reiterative question but ..
Jerome Santos	sshd.config and AllowUsers


sata_via causes emask timeout	3 hours ago	Linux kernel
KernelTrap: No Updates Into September, New Theme	2 days ago	KernelTrap Changes and News
spi uart interface	2 days ago	Linux kernel
problem in Signals	6 days ago	Linux general
How would someone compile a 2.2.x kernel on a relatively modern system?	1 week ago	Linux kernel
Modems - GSM PPP fail to get IP address	1 week ago	Applications and Utilities
Who or what is Linus Torvalds?	1 week ago	Linux general
ethernet got wierd after 2.6.29	1 week ago	Linux kernel
ATA error messages and pata_sch module	1 week ago	Linux kernel
windows folder creation surprise	2 weeks ago	Windows

Re: LSM conversion to static interface

Online users