| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Apr 2016 14:36:43 -0400 From: Paul Moore <paul@...l-moore.com> To: David Miller <davem@...emloft.net> Cc: pabeni@...hat.com, linux-security-module@...r.kernel.org, James Morris <james.l.morris@...cle.com>, agruenba@...hat.com, Stephen Smalley <sds@...ho.nsa.gov>, fw@...len.de, netdev@...r.kernel.org, selinux@...ho.nsa.gov Subject: Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed On Wed, Apr 6, 2016 at 2:23 PM, David Miller <davem@...emloft.net> wrote: > From: Paul Moore <paul@...l-moore.com> > Date: Wed, 6 Apr 2016 10:07:27 -0400 > >> "While marking the LSM hook structure doesn't directly affect the >> SELinux netfilter hooks, once we remove the ability to deregister the >> LSM hooks we will have no need to support deregistering netfilter >> hooks and I expect we will drop that functionality as well to help >> decrease the risk of tampering." > > This is not a reasonable postiion. > > The performance implications are non-trivial for using netfilter hooks > when they aren't actually needed. With all due respect, I think you've taken what I consider to be some unreasonable positions when it comes to the network stack and LSMs in the past. We have different perspectives and different priorities as a result, from my perspective the security advantage gained by eliminating the ability to disable SELinux at runtime is more important. -- paul moore www.paul-moore.com
Powered by blists - more mailing lists