lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <471FA8A1.6070904@crispincowan.com>
Date:	Wed, 24 Oct 2007 13:18:41 -0700
From:	Crispin Cowan <crispin@...spincowan.com>
To:	Jan Engelhardt <jengelh@...putergmbh.de>
CC:	Simon Arlott <simon@...e.lp0.eu>, Adrian Bunk <bunk@...nel.org>,
	Chris Wright <chrisw@...s-sol.org>,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andreas Gruenbacher <agruen@...e.de>,
	Thomas Fricaccia <thomas_fricacci@...oo.com>,
	Jeremy Fitzhardinge <jeremy@...p.org>,
	James Morris <jmorris@...ei.org>,
	Giacomo Catenazzi <cate@...ian.org>,
	Alan Cox <alan@...rguk.ukuu.org.uk>
Subject: Re: Linux Security *Module* Framework (Was: LSM conversion to static
 interface)

Jan Engelhardt wrote:
> On Oct 24 2007 19:11, Simon Arlott wrote:
>   
>> * (I've got a list of access rules which are scanned in order until one of 
>> them matches, and an array of one bit for every port for per-port default 
>> allow/deny - although the latter could be removed.
>> http://svn.lp0.eu/simon/portac/trunk/)
>>     
> Besides the 'feature' of inhibiting port binding,
> is not this task of blocking connections something for a firewall?
>   
So now you are criticizing his module. Arguing about the merits of
security semantics. This is exactly why Linus wanted LSM, so we don't
have to have these kinds of discussions, at least not on LKML :)

It seems to me that LSM used to be an open API. Anyone could code to it,
so you could at least try to ship a module that will load into a major
vendor's stock kernel for an important release.

Now with this change, it is effectively a closed API. You can only load
the modules that the distro vendor shipped to you. If you want
*anything* other than what RH or Novell or Canonical or Mandriva etc.
says you should want, then you have to hack the source code for your kernel.

Open source is great, and it is wonderful that you *can* hack the source
if you need to, but demanding that end users patch their source code
when all they want to do is load a module is really, really sad.

Please revert this patch. Its benefits are no where near its costs.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
	       Itanium. Vista. GPLv3. Complexity at work

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ