[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071024223124.GI30533@stusta.de>
Date: Thu, 25 Oct 2007 00:31:24 +0200
From: Adrian Bunk <bunk@...nel.org>
To: Simon Arlott <simon@...e.lp0.eu>
Cc: Chris Wright <chrisw@...s-sol.org>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
Jan Engelhardt <jengelh@...putergmbh.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andreas Gruenbacher <agruen@...e.de>,
Thomas Fricaccia <thomas_fricacci@...oo.com>,
Jeremy Fitzhardinge <jeremy@...p.org>,
James Morris <jmorris@...ei.org>,
Crispin Cowan <crispin@...spincowan.com>,
Giacomo Catenazzi <cate@...ian.org>,
Alan Cox <alan@...rguk.ukuu.org.uk>
Subject: Re: Linux Security *Module* Framework (Was: LSM conversion to
static interface)
On Wed, Oct 24, 2007 at 07:11:17PM +0100, Simon Arlott wrote:
> On 24/10/07 13:55, Adrian Bunk wrote:
> > On Wed, Oct 24, 2007 at 12:50:29PM +0100, Simon Arlott wrote:
> >> I currently have an LSM that only handles permissions for socket_bind
> >> and socket_listen, I load it and then "capability" as secondary on
> >> boot - but now I can't because the LSM framework is now just the LS
> >> framework.
> >>
> >> Why can't this "static LSM" change be a Kconfig option?
> >> (I don't want to have to maintain my own reverted copy of security/,
> >> or compile this into the kernel because then I can't ever modify and
> >> reload it without rebooting.)
> >
> > Let's start with the more important questions:
> >
> > Did you submit your LSM for inclusion into the kernel?
>
> No, because the interface for configuring it would be rejected... I have
> a /proc file which I write a binary configuration file to. This works
> fine for me but it would take a lot of work to write a proper interface
> - which I'm still not sure how to do*.
>...
Generally, the goal is to get external modules included into the kernel.
You want to be able to have this functionality and you do not want to
use SELinux for it.
But instead of working on getting your code into the kernel you are
requesting that an API making it easier for you to maintain it
externally comes back.
There are other points in this thread that might or might not warrant
making LSM modular again, but even though it might sound harsh breaking
external modules and thereby making people aware that their code should
get into the kernel is IMHO a positive point.
> Simon Arlott
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists