static LSM objection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I just wanted to voice my opinion about the static LSM changes.
(I apologize about being late[1] to the discussion[2] -- I'd only recently
become aware of it.)  I'm personally really against this.  For example,
I want to give people choice about their security protections in Ubuntu,
and I'd like to let them pick the MAC that suits their needs.

Some people want SELinux, some people want AppArmor.  (Yes, I know
AppArmor isn't in mainline yet, but it does seem they're getting closer --
three distros are shipping AppArmor.  The static changes feel motivated
by political rather than technical reason -- though it of course have
technical merit.)  Considering things like SMACK and TOMOYO, it is going
to be very troublesome for distros to have to start building multiple
kernels to support each given MAC that their users want to use.

So, unless this is just re-hashing and you can point me to discussion
points I missed, can someone help me understand the technical issues
around this change?  It sounds like the primary reason for making it
non-modular is performance loss due to call overhead.  Aren't there
other ways to solve this without removing the boot-time module choice?
(Make it unloadable?)

I'm not convinced that the advantages of making it static out-weigh the
benefit of having it as a choice at boot-time.  (I don't really mind
needing a reboot to switch MAC implementations, as long as there is some
benefit from making them unloadable, though it sounds like there are
people would are against making LSMs unloadable too.)

Thanks,

-Kees

/me pops the safety off his fire extinguisher

[1] http://lkml.org/lkml/2007/7/19/228
[2] http://lkml.org/lkml/2007/7/14/91

-- 
Kees Cook
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux