Yes it can, but not the two you list.
That's not the rationale for the patch, it's just some talking point you
picked up. The rationale for the patch is to prevent abuse. So point 1
is
1) Is the LSM infrastructure being abused, and how detrimental
is that abuse
As has come up, the abuse comes in two forms, and people seem to want to
blur the two forms to make it seem especially relevant and heinous...
2) Is the loss of flexibility in the LSM framework a worthwhile
tradoff against the abuse prevention.
Clearly I and a very few others feel no, and a very vocal set (which
sure sounds like a majority) says yes.
Now quit trying to give technical justifications for something which is
technical only insofar as it is a technical roadblock to prevent a legal
problem.
LSM is an infrastructure. It's up to the modules to provide that, and
it can be done. DTE used to do it. Dirjail used to do it. Capability
does it.
And since LSM won't be modular anymore it doesn't matter.
Another blatant lie, not unlike "come to the table to upstream your LSM,
and we'll help you, honest."
(The funny thing about that is, I actually like SELinux, more than the
alternatives in general. I just can't stand the attitudes voice by much
of its camp.)
-serge
PS - should we rename 'LSM' to 'LSI' - linux security infrastructure?
Calling it LSM now is kind of moronic.
-
