| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1262281847.22369.0.camel@moss-terrapins.epoch.ncsc.mil> Date: Thu, 31 Dec 2009 12:50:47 -0500 From: "David P. Quigley" <dpquigl@...ho.nsa.gov> To: "Serge E. Hallyn" <serue@...ibm.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Casey Schaufler <casey@...aufler-ca.com>, Michael Stone <michael@...top.org>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, Andi Kleen <andi@...stfloor.org>, David Lang <david@...g.hm>, Oliver Hartkopp <socketcan@...tkopp.net>, Alan Cox <alan@...rguk.ukuu.org.uk>, Herbert Xu <herbert@...dor.apana.org.au>, Valdis Kletnieks <Valdis.Kletnieks@...edu>, Bryan Donlan <bdonlan@...il.com>, Evgeniy Polyakov <zbr@...emap.net>, "C. Scott Ananian" <cscott@...ott.net>, James Morris <jmorris@...ei.org>, Bernie Innocenti <bernie@...ewiz.org>, Mark Seaborn <mrs@...hic-beasts.com>, Randy Dunlap <randy.dunlap@...cle.com>, Américo Wang <xiyou.wangcong@...il.com> Subject: Re: A basic question about the security_* hooks On Thu, 2009-12-24 at 18:05 -0600, Serge E. Hallyn wrote: > Quoting Eric W. Biederman (ebiederm@...ssion.com): > > Casey Schaufler <casey@...aufler-ca.com> writes: > > > > > I'm behind you 100%. Use the LSM. Your module is exactly why we have > > > the blessed thing. Once we get a collection of otherwise unrelated > > > LSMs the need for a stacker will be sufficiently evident that we'll > > > be able to get one done properly. > > > > My immediate impression is that the big limitation today is the > > sharing of the void * security data members of strucutres. > > > > Otherwise multiple security modules could be as simple as. > > list_for_each(mod) > > if (mod->op(...) != 0) > > return -EPERM. > > > > It isn't hard to multiplex a single data field into several with a > > nice little abstraction. > > > > With my maintainer of a general purpose kernel hat on I would love to > > be able to build in all of the security modules and select at boot > > time which ones were enabled. > > You're supposed to be able to do that now - use the "security=smack" > or whatever boot option (see security/security.c:choose_lsm() ). > > -serge > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ Ubuntu and SuSe currently do this and it is what allows them to ship a kernel with both AppArmor and SELinux support built in. Dave -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists