Re: LSM conversion to static interface

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Crispin Cowan <crispin@...>

Cc: Thomas Fricaccia <thomas_fricacci@...>, <linux-kernel@...>, LSM ML <linux-security-module@...>, Linus Torvalds <torvalds@...>

Subject: Re: LSM conversion to static interface

Date: Monday, October 22, 2007 - 12:50 pm

> > Crispin at least is providing genuine discussion points. Sarbox has
quoted text> > nothing to say on "using vendor linux kernels".
> >   
> I agree that SarBox is not really the issue here. Partially related is
> enterprise rules about what kernels one is allowed to load. More
> generally, this change forces users who want to use a different LSM than
> their vendor provides to recompile their kernel, where they did not have
> to recompile before. It forces LSM module developers who want to modify
> their LSM to reboot, where they didn't necessarily have to reboot before.

The moment they load a module from a third party they usually hit support
issues, unless there is some kind of arrangement between the parties.

quoted text> 
> That is not a catastrophe, it is just tedious. It does not kill baby
> seals, and it does not make Linux utterly useless. OTOH, I think it is
> strictly negative: it takes away user choice in 2 dimensions, and adds
> zero value. So apply it if you must to bake the kernel developer's lives
> easier, but it really is a net loss in Linux kernel capability.

Frankly I don't care about apparmor, I don't see it as a serious project.
Smack is kind of neat but looks like a nicer way to specify selinux rules.

What I do care about is that at some point something is going to appear
which is based on all the same good practice and experience and forty
years of research that leads towards SELinux, and which is much better. At
that point there will be a changeover phase and the LSM is exactly what
is needed for this.

The fact it allows people to play with toy security systems, propose new
ones like SMACK, and do research and PhD work on Linux into security is a
convenient and very good side effect.

For that reason I think keeping LSM is the right thing to do.

Alan
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: LSM conversion to static interface, Thomas Fricaccia, (Sun Oct 21, 10:24 pm)

Re: LSM conversion to static interface, Alan Cox, (Mon Oct 22, 6:07 am)

Re: LSM conversion to static interface, Crispin Cowan, (Mon Oct 22, 12:10 pm)

Re: LSM conversion to static interface, Alan Cox, (Mon Oct 22, 12:50 pm)

Re: LSM conversion to static interface, Greg KH, (Mon Oct 22, 12:56 pm)

Re: LSM conversion to static interface, Greg KH, (Sun Oct 21, 11:59 pm)

Re: LSM conversion to static interface, Geert Uytterhoeven, (Tue Oct 23, 12:52 pm)

Re: LSM conversion to static interface, Avi Kivity, (Mon Oct 22, 1:47 pm)

Re: LSM conversion to static interface, Adrian Bunk, (Tue Oct 23, 12:05 pm)

Navigation

Mail archive search

Popular discussions


linux-kernel:
David Miller	[GIT]: Networking
Fred .	Please add ZFS support (from GPL sources)
Rusty Russell	Re: [patch 13/26] Xen-paravirt_ops: Consistently wrap paravirt ops callsites to ma...
Amit K. Arora	[RFC] Heads up on sys_fallocate()
openmoko-community:
Neng-Yu Tu (Tony Tu)	GTA02 GPS rework for SD card interference issue
nickd	Re: My experience with the Freerunner
Flemming Richter Mikkelsen	Re: QVGA V/s VGA for GTA03 (was something about yummy CPU-GPU combos!)
cedric cellier	Re: comparing Apples and Oranges $199 iPhone Freerunner GTA02
git:
Toby White	Using Filemerge.app as a git-diff viewer
Nicolas Pitre	Re: Cleaning up git user-interface warts
Jon Smirl	! [rejected] master -> master (non-fast forward)
Abdelrazak Younes	Git-windows and git-svn?
openbsd-misc:
Kevin Stam	Re: Code signing in OpenBSD
GVG GVG	ssh_exchange_identification: Connection closed by remote host
christian johansson	openbsd on a geode
Karel Kulhavy	lookup option in /etc/resolv.conf ignored

Latest forum posts


Linux Bootup hangs after adding RealTime Premption and HR-Timer	11 minutes ago	Linux kernel
SATA 2 size problems	28 minutes ago	Windows
problem with 2.6 kernel driver for a USB MAG Stripe Reader as HID device.	13 hours ago	Linux kernel
get_user_pages failure	14 hours ago	Linux kernel
Reading linux kernel	15 hours ago	Linux kernel
High level of Seagate 2.5" SATA drives failing	21 hours ago	Hardware
Resetting the bios password for Toshiba Laptop	1 day ago	Hardware
Linux 2.6.22 slowly RUNS OUT OF LOWMEM	1 day ago	Linux kernel
Questions about modules	1 day ago	Linux kernel
KDB	2 days ago	Linux kernel

Show all forums...

Colocation donated by:

Online users

Syndicate