Re: [PATCH v15 01/11] LSM: Identify modules by more than name

From: Kees Cook
Date: Sun Sep 24 2023 - 15:48:23 EST


On September 24, 2023 4:06:07 AM PDT, Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
>Patch description says
>
> The LSM ID values are sequential, with the oldest module
> LSM_ID_CAPABILITY being the lowest value and the existing modules
> numbered in the order they were included in the main line kernel.
> This is an arbitrary convention for assigning the values, but
> none better presents itself. The value 0 is defined as being invalid.

"in the order they were included in the main line kernel" Out of trees aren't in main line.

And "This is an arbitrary convention" specifically says it's arbitrary.

There is literally nothing here stopping out of tree modules. I have proven this, and so have you with these quotes. What is left to object to?

>You withdraw your "Reviewed-by" response unless "The LSM ID values are sequential"
>and "must be approved by the LSM maintainers" are removed and "the LSM maintainers/community
>shall never complain about what names and/or values are assigned" is added, don't you?

*For main line kernels*

Please, understand both the *intent* and *reality*: this does not block out of tree LSMs, full stop.

>Keeping how the HUGE space is used under control of the LSM community will be
>better for both in-tree and out-of-tree LSM modules. I really can't understand
>why you don't want to utilize this opportunity.

I cannot understand what else you need to hear.

-Kees


--
Kees Cook