Re: LSM conversion to static interface

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Crispin Cowan <crispin@...>

Cc: Thomas Fricaccia <thomas_fricacci@...>, <linux-kernel@...>, LSM ML <linux-security-module@...>, Linus Torvalds <torvalds@...>

Subject: Re: LSM conversion to static interface

Date: Monday, October 22, 2007 - 12:50 pm

> > Crispin at least is providing genuine discussion points. Sarbox has
quoted text> > nothing to say on "using vendor linux kernels".
> >   
> I agree that SarBox is not really the issue here. Partially related is
> enterprise rules about what kernels one is allowed to load. More
> generally, this change forces users who want to use a different LSM than
> their vendor provides to recompile their kernel, where they did not have
> to recompile before. It forces LSM module developers who want to modify
> their LSM to reboot, where they didn't necessarily have to reboot before.

The moment they load a module from a third party they usually hit support
issues, unless there is some kind of arrangement between the parties.

quoted text> 
> That is not a catastrophe, it is just tedious. It does not kill baby
> seals, and it does not make Linux utterly useless. OTOH, I think it is
> strictly negative: it takes away user choice in 2 dimensions, and adds
> zero value. So apply it if you must to bake the kernel developer's lives
> easier, but it really is a net loss in Linux kernel capability.

Frankly I don't care about apparmor, I don't see it as a serious project.
Smack is kind of neat but looks like a nicer way to specify selinux rules.

What I do care about is that at some point something is going to appear
which is based on all the same good practice and experience and forty
years of research that leads towards SELinux, and which is much better. At
that point there will be a changeover phase and the LSM is exactly what
is needed for this.

The fact it allows people to play with toy security systems, propose new
ones like SMACK, and do research and PhD work on Linux into security is a
convenient and very good side effect.

For that reason I think keeping LSM is the right thing to do.

Alan
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: LSM conversion to static interface, Thomas Fricaccia, (Sun Oct 21, 10:24 pm)

Re: LSM conversion to static interface, Alan Cox, (Mon Oct 22, 6:07 am)

Re: LSM conversion to static interface, Crispin Cowan, (Mon Oct 22, 12:10 pm)

Re: LSM conversion to static interface, Alan Cox, (Mon Oct 22, 12:50 pm)

Re: LSM conversion to static interface, Greg KH, (Mon Oct 22, 12:56 pm)

Re: LSM conversion to static interface, Greg KH, (Sun Oct 21, 11:59 pm)

Re: LSM conversion to static interface, Geert Uytterhoeven, (Tue Oct 23, 12:52 pm)

Re: LSM conversion to static interface, Avi Kivity, (Mon Oct 22, 1:47 pm)

Re: LSM conversion to static interface, Adrian Bunk, (Tue Oct 23, 12:05 pm)


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
debian developer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg Kroah-Hartman	[patch 00/40] 2.6.23-stable review, driver (sans network) changes
Roland Dreier	Re: Integration of SCST in the mainstream Linux kernel
git:

linux-netdev:
Gerrit Renker	[PATCH 03/37] dccp: List management for new feature negotiation
Arjan van de Ven	Re: [GIT]: Networking
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Natalie Protasevich	[BUG] New Kernel Bugs
openbsd-misc:

Re: LSM conversion to static interface

Online users