Re: LSM conversion to static interface

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Crispin Cowan <crispin@...>

Cc: Thomas Fricaccia <thomas_fricacci@...>, <linux-kernel@...>, LSM ML <linux-security-module@...>, Linus Torvalds <torvalds@...>

Subject: Re: LSM conversion to static interface

Date: Monday, October 22, 2007 - 12:50 pm

> > Crispin at least is providing genuine discussion points. Sarbox has
quoted text> > nothing to say on "using vendor linux kernels".
> >   
> I agree that SarBox is not really the issue here. Partially related is
> enterprise rules about what kernels one is allowed to load. More
> generally, this change forces users who want to use a different LSM than
> their vendor provides to recompile their kernel, where they did not have
> to recompile before. It forces LSM module developers who want to modify
> their LSM to reboot, where they didn't necessarily have to reboot before.

The moment they load a module from a third party they usually hit support
issues, unless there is some kind of arrangement between the parties.

quoted text> 
> That is not a catastrophe, it is just tedious. It does not kill baby
> seals, and it does not make Linux utterly useless. OTOH, I think it is
> strictly negative: it takes away user choice in 2 dimensions, and adds
> zero value. So apply it if you must to bake the kernel developer's lives
> easier, but it really is a net loss in Linux kernel capability.

Frankly I don't care about apparmor, I don't see it as a serious project.
Smack is kind of neat but looks like a nicer way to specify selinux rules.

What I do care about is that at some point something is going to appear
which is based on all the same good practice and experience and forty
years of research that leads towards SELinux, and which is much better. At
that point there will be a changeover phase and the LSM is exactly what
is needed for this.

The fact it allows people to play with toy security systems, propose new
ones like SMACK, and do research and PhD work on Linux into security is a
convenient and very good side effect.

For that reason I think keeping LSM is the right thing to do.

Alan
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: LSM conversion to static interface, Thomas Fricaccia, (Sun Oct 21, 10:24 pm)

Re: LSM conversion to static interface, Alan Cox, (Mon Oct 22, 6:07 am)

Re: LSM conversion to static interface, Crispin Cowan, (Mon Oct 22, 12:10 pm)

Re: LSM conversion to static interface, Alan Cox, (Mon Oct 22, 12:50 pm)

Re: LSM conversion to static interface, Greg KH, (Mon Oct 22, 12:56 pm)

Re: LSM conversion to static interface, Greg KH, (Sun Oct 21, 11:59 pm)

Re: LSM conversion to static interface, Geert Uytterhoeven, (Tue Oct 23, 12:52 pm)

Re: LSM conversion to static interface, Avi Kivity, (Mon Oct 22, 1:47 pm)

Re: LSM conversion to static interface, Adrian Bunk, (Tue Oct 23, 12:05 pm)

Navigation

Mail archive search

Popular discussions


linux-kernel:
James Bruce	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
FUJITA Tomonori	Re: Integration of SCST in the mainstream Linux kernel
David Newall	Re: Slow DOWN, please!!!
Greg Kroah-Hartman	[PATCH 011/196] sysfs: Fix a copy-n-paste typo in comment
linux-activists:
Doug Evans	Re: Stabilizing Linux
Mark Saltzman	Gawk 2.13 problems
Yong-Ernn Daniel Ling	Re: MicroEmacs
Daniel Mark Gessel	References for info on 386 and AT architecture.
git:
Johannes Schindelin	Re: Git rescue mission
Johannes Schindelin	Re: VCS comparison table
Eivind LM	Split a subversion repo into several git repos
Jon Smirl	! [rejected] master -> master (non-fast forward)
openbsd-misc:
Steve Shockley	Re: Real men don't attack straw men
Matthew Dempsky	OpenBSD gateway sending bogus ICMP host unreachable packets?
Chris Bullock	OpenBSD isakmpd and pf vs Cisco PIX or ASA
Denis Fondras	OpenBSD and iSCSI support

Latest forum posts


KernelTrap: No Updates Into September, New Theme	1 day ago	KernelTrap Changes and News
spi uart interface	1 day ago	Linux kernel
sata_via causes emask timeout	4 days ago	Linux kernel
problem in Signals	6 days ago	Linux general
How would someone compile a 2.2.x kernel on a relatively modern system?	6 days ago	Linux kernel
Modems - GSM PPP fail to get IP address	6 days ago	Applications and Utilities
Who or what is Linus Torvalds?	1 week ago	Linux general
ethernet got wierd after 2.6.29	1 week ago	Linux kernel
ATA error messages and pata_sch module	1 week ago	Linux kernel
windows folder creation surprise	2 weeks ago	Windows

Show all forums...

Recent Tags

more tags

Colocation donated by:

Online users

Syndicate