Re: [PATCH try #3] security: Convert LSM into a static interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/19/07, James Morris <[email protected]> wrote:
On Thu, 19 Jul 2007, Serge E. Hallyn wrote:

> If we could get a few (non-afilliated :) people who work with
> customers in the security field to tell us whether this is being
> used, that would be very helpful.  Not sure how to get that.

The mainline kernel does not cater to out of tree code.

Please distinguish between "cater to" and "support". If the kernel
didn't worry about supporting out-of-tree code, then why would there
be loadable module at all?

Christian Ehrhardt already pointed to two reasons for loadable LSMs
that are sufficient to justify keeping them - so you can replace them
iteratively while you're developing them or choose between
alternatives.

Another twist is to use a tool to generate the module from a
policy-definition file; this could be done at boot-time or could be
done to replace the current policy on a running system (perhaps to add
a new domain corresponding to a newly added service). Yes, this would
need to be done with a lot of care, but part of providing mechanism
(rather than policy) is enabling people to use the mechanism in the
ways they prefer.

scott
--
scott preece
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux