Re: [RFC] [PATCH] [0/6] LSM Stacking

[Chris Wright]

* Serge E. Hallyn (serue@xxxxxxxxxx) wrote:
> Hi,
> 
> Quoting Chris Wright (chrisw@xxxxxxxx):
> ...
> > I think, all in all, this needs more work and more justification (esp.
> > w.r.t. overhead and impact on the current common use of a single
> > module).
> 
> Would it help to make CONFIG_NUM_LSMS a boot time option, and default
> to 1?

That number is only valid at compile time (it defines structure sizes,
etc).

> As for justification, the fact that many LSMS currently cannot be
> used simultaneously seemed the most prominent.  It certainly seems viable
> to use SELinux to protect audit logs and shadow files, use bsdjail to
> offer certain services, and use securelevel for some generic hardening,
> for instance.

Understood, although I don't think you'll get SELinux folks to agree
that it could be useful in conjuction with other modules like that.  The
real bottom line is that it can't slow anything down for the single
module case.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/