Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>> > Seriously that makes a lot of sense.  All other modules people have come up
>> > with over the last years are irrelevant and/or broken by design.
>> 
>> It's been nearly a year since I proposed this, and we've not seen any 
>> appropriate LSM modules submitted in that time.
>> 
>> See
>> http://thread.gmane.org/gmane.linux.kernel.lsm/1120
>> http://thread.gmane.org/gmane.linux.kernel.lsm/1088
>> 
>> The only reason I can see to not delete it immediately is to give BSD 
>> secure levels users a heads-up, although I thought it was already slated 
>> for removal.  BSD secure levels is fundamentally broken and should 
>> never have gone into mainline.
>
>been a very long time and so far, only out-of-tree LSMs are present,
>with no public statements about getting them submitted into the main
>kernel tree.  And, I think almost all of the out-of-tree modules already
>need other kernel patches to get their code working properly, so what's
>a few more hooks needed...
>
>/me pokes the bushes to flush out the people lurking
>

Well then, have a look at http://alphagate.hopto.org/multiadm/

There is a reason to why people [read: I] do not submit out-of-tree (OOT)
modules; because I think chances are low that they get in. Sad fact about the
Linux kernel.

>Oh, but do remember, the main goal of LSM was to stop people from
>arguing about different security models.  Now that it is in, we haven't
>had any bickering about different types of things that should go into
>mainline, all with different models and usages.  Everyone gets to play
>in their own sandbox and not worry about anyone else.  If the LSM
>interface was to go away, that problem would start happening again, and
>I don't think we want to go there.
>
>So, I think the only way to be able to realisticly keep the LSM
>interface, is for a valid, working, maintained LSM-based security model
>to go into the kernel tree.  So far, I haven't seen any public posting
>of patches that meet this requirement :(

In that case, maybe it would be worthwhile to flip the positions, i.e. LSM on
top of SELinux, sort of a compat layer.



Jan Engelhardt
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux