[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e7d8f83e0904100526y38ba5cc1p905e7b19c0307525@mail.gmail.com>
Date: Fri, 10 Apr 2009 22:26:52 +1000
From: Peter Dolding <oiaohm@...il.com>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: jmorris@...ei.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org,
Kentaro Takeda <takedakn@...data.co.jp>,
Toshiharu Harada <haradats@...data.co.jp>
Subject: Re: [TOMOYO 1/2] tomoyo: add Documentation/tomoyo.txt
> +
> +We believe that inode based security and name based security are complementary
> +and both should be used together. But unfortunately, so far, we cannot enable
> +multiple LSM modules at the same time. We feel sorry that you have to give up
> +SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.
> +
> +We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM
> +version of TOMOYO, available at http://tomoyo.sourceforge.jp/en/1.6.x/ .
> +LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning
> +to port non-LSM version's functionalities to LSM versions.
>
If you go back through the mailing list you will find stackable has
been debated at length many times.
AppArmor and Tomoyo are both name based. So unlikely you would want
both at the same time.
LSM exists mostly because designers of security systems could not
decide on the 1 default Linux should have.
For inode and name based security the question should be can Tomoyo
merge with the other LSM modules in away that avoids stacking.
Smack and Selinux are sharing code in places with each other. Really
there are only 3 currently active developed LSM's Smack Selinux and
Tomoyo. Merge could basically get us down to 1 with 3 different
configure processing engines. I have not seen apparmor patches that
bring it up to using the secure way of doing name based secuirty.
Could have missed it.
Smack and Selinux both have not contained name based because there was
no secure way todo it. Due to Tomoyo teams work that has changed. So
both Smack and Selinux really need to look at there position on
supporting name based. I agree it would be a gain of Smack and
Selinux supported name based.
Major reason for not allowing multi-able LSM's is the risk that one
might interfere incorrectly with the others operation. This is why
merging is fine. Since the new method would have to be integrated at
development time into 1 LSM so there could not be conflits.
Peter Dolding
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists