Cc: <casey@...>, Chris Wright <chrisw@...>, Adrian Bunk <bunk@...>, Simon Arlott <simon@...>, <linux-kernel@...>, <linux-security-module@...>, Jan Engelhardt <jengelh@...>, Linus Torvalds <torvalds@...>, Andreas Gruenbacher <agruen@...>, Thomas Fricaccia <thomas_fricacci@...>, Jeremy Fitzhardinge <jeremy@...>, James Morris <jmorris@...>, Giacomo Catenazzi <cate@...>, Alan Cox <alan@...>
Clearly what is needed here is for someone to actually implement an
object capability LSM module. None of SELinux, SMACK, LIDS, AppArmor,
MultiADM, or TOMOYO can implement object capabilities, so there is clear
justification for building such a module. I would argue strongly to
include it.
I *really* dislike this idea. It seems to set up the situation that the
only acceptable modules are those that follow some "formal" model. Problems:
* What qualifies as a formal model? This becomes an arbitrary litmus
test, depending on whether the model was originally published in a
sufficiently snooty forum.
* What if someone invents a new model that has not been "formalized"
yet? Should Linux be forced to wait until the idea has been
through the academic mill before we allow someone to try
implementing a module for the idea?
* The proposal only allows a single implementation of each formal
model. In theory, theory is just like practice, but in practice it
is not. SMACK and SELinux follow substantially similar formal
models (not exactly the same) so should we exclude one and keep
the other? No, of course not, because in practice they are very
different.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
CEO, Mercenary Linux http://mercenarylinux.com/
Itanium. Vista. GPLv3. Complexity at work
-
