lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87lic0sg09.fsf@xmission.com>
Date:	Thu, 10 Jan 2013 16:46:46 -0800
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	John Johansen <john.johansen@...onical.com>
Cc:	James Morris <jmorris@...ei.org>,
	Casey Schaufler <casey@...aufler-ca.com>,
	Stephen Rothwell <sfr@...b.auug.org.au>,
	LSM <linux-security-module@...r.kernel.org>,
	LKLM <linux-kernel@...r.kernel.org>,
	SE Linux <selinux@...ho.nsa.gov>,
	Eric Paris <eparis@...hat.com>,
	Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
	Kees Cook <keescook@...omium.org>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs

John Johansen <john.johansen@...onical.com> writes:

> On 01/09/2013 05:28 AM, James Morris wrote:
>> On Tue, 8 Jan 2013, John Johansen wrote:
>> 
>>>> I'd say we need to see the actual use-case for Smack and Apparmor being 
>>>> used together, along with at least one major distro committing to support 
>>>> this.
>>>>
>>>>
>>> Ubuntu is very interested in stacking
>> 
>> Which modules?
>> 
> Well Yama which has now been special cased, and in the past there has been
> discussion about other special case LSMs like case is proposing for module
> loading. There has been interest around both selinux + apparmor and
> smack + apparmor. I am not sure of all of the use cases that have lead to
> such question but some of them have been around containers, with say
> selinux on the host and apparmor in the container, or visa versa.

When a distro is run in a container it is desirable to be able to run
the distro's security policy in that container.  Ideally this will get
addressed by being able to do some level of per user namespace stacking.
Say selinux outside and apparmor inside a container.

I think this would take a little more work than what Casey has currently
devised but I am hopeful an additional layer of stacking can be added
after Casey has merged the basic layer of stacking.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ