| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <471FA8A1.6070904@crispincowan.com> Date: Wed, 24 Oct 2007 13:18:41 -0700 From: Crispin Cowan <crispin@...spincowan.com> To: Jan Engelhardt <jengelh@...putergmbh.de> CC: Simon Arlott <simon@...e.lp0.eu>, Adrian Bunk <bunk@...nel.org>, Chris Wright <chrisw@...s-sol.org>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, Linus Torvalds <torvalds@...ux-foundation.org>, Andreas Gruenbacher <agruen@...e.de>, Thomas Fricaccia <thomas_fricacci@...oo.com>, Jeremy Fitzhardinge <jeremy@...p.org>, James Morris <jmorris@...ei.org>, Giacomo Catenazzi <cate@...ian.org>, Alan Cox <alan@...rguk.ukuu.org.uk> Subject: Re: Linux Security *Module* Framework (Was: LSM conversion to static interface) Jan Engelhardt wrote: > On Oct 24 2007 19:11, Simon Arlott wrote: > >> * (I've got a list of access rules which are scanned in order until one of >> them matches, and an array of one bit for every port for per-port default >> allow/deny - although the latter could be removed. >> http://svn.lp0.eu/simon/portac/trunk/) >> > Besides the 'feature' of inhibiting port binding, > is not this task of blocking connections something for a firewall? > So now you are criticizing his module. Arguing about the merits of security semantics. This is exactly why Linus wanted LSM, so we don't have to have these kinds of discussions, at least not on LKML :) It seems to me that LSM used to be an open API. Anyone could code to it, so you could at least try to ship a module that will load into a major vendor's stock kernel for an important release. Now with this change, it is effectively a closed API. You can only load the modules that the distro vendor shipped to you. If you want *anything* other than what RH or Novell or Canonical or Mandriva etc. says you should want, then you have to hack the source code for your kernel. Open source is great, and it is wonderful that you *can* hack the source if you need to, but demanding that end users patch their source code when all they want to do is load a module is really, really sad. Please revert this patch. Its benefits are no where near its costs. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Itanium. Vista. GPLv3. Complexity at work - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists