Re: Linux Security *Module* Framework (Was: LSM conversion tostatic interface)

From: Adrian Bunk
Date: Wed Oct 24 2007 - 19:31:46 EST


On Wed, Oct 24, 2007 at 03:58:02PM -0700, Casey Schaufler wrote:
>
> --- Adrian Bunk <bunk@xxxxxxxxxx> wrote:
>
> > ...
> >
> > There are other points in this thread that might or might not warrant
> > making LSM modular again, but even though it might sound harsh breaking
> > external modules and thereby making people aware that their code should
> > get into the kernel is IMHO a positive point.
>
> Those proposing LSM modules over the past couple years have
> been treated most harshly. I have personally taken the least
> flak of anyone on my proposal, and at that there have been
> times where I felt like pulling out the #5 clue stick and
> taking a few swings. It's no wonder that people are afraid
> to suggest a module. I didn't do it until I had combed through
> the archives and prepared answers for the most common attacks.
> I hope that Smack moving forward will defuse some of the bad
> vibes that have clouded the LSM for so long. I don't blame
> anyone who kept their module to themself given the hostility
> which even successful products have encountered.
>
> And don't give me the old "LKML is a tough crowd" feldercarb.
> Security modules have been much worse. Innovation, even in
> security, is a good thing and treating people harshly, even
> "for their own good", is an impediment to innovation.

What I'm giving you is "Linus has decreed there can be LSMs other than
SELinux."

Getting LSMs included should no longer be harder than for other
parts of the kernel.

And don't get me wrong, I'm not saying my point should decide this
discussion. It's simply the point that making it harder for external
code also has advantages.

> Casey Schaufler

cu
Adrian

--

"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/