| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <50F05656.5060301@schaufler-ca.com> Date: Fri, 11 Jan 2013 10:13:42 -0800 From: Casey Schaufler <casey@...aufler-ca.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> CC: John Johansen <john.johansen@...onical.com>, James Morris <jmorris@...ei.org>, Stephen Rothwell <sfr@...b.auug.org.au>, LSM <linux-security-module@...r.kernel.org>, LKLM <linux-kernel@...r.kernel.org>, SE Linux <selinux@...ho.nsa.gov>, Eric Paris <eparis@...hat.com>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, Kees Cook <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org>, Casey Schaufler <casey@...aufler-ca.com> Subject: Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs On 1/10/2013 4:46 PM, Eric W. Biederman wrote: > John Johansen <john.johansen@...onical.com> writes: > >> On 01/09/2013 05:28 AM, James Morris wrote: >>> On Tue, 8 Jan 2013, John Johansen wrote: >>> >>>>> I'd say we need to see the actual use-case for Smack and Apparmor being >>>>> used together, along with at least one major distro committing to support >>>>> this. >>>>> >>>>> >>>> Ubuntu is very interested in stacking >>> Which modules? >>> >> Well Yama which has now been special cased, and in the past there has been >> discussion about other special case LSMs like case is proposing for module >> loading. There has been interest around both selinux + apparmor and >> smack + apparmor. I am not sure of all of the use cases that have lead to >> such question but some of them have been around containers, with say >> selinux on the host and apparmor in the container, or visa versa. > When a distro is run in a container it is desirable to be able to run > the distro's security policy in that container. Ideally this will get > addressed by being able to do some level of per user namespace stacking. > Say selinux outside and apparmor inside a container. > > I think this would take a little more work than what Casey has currently > devised but I am hopeful an additional layer of stacking can be added > after Casey has merged the basic layer of stacking. Would that be per-container LSM lists? I hadn't thought about doing that, and don't know how you might implement it, but I suppose it could work. > > Eric > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists