* frm crispinat_private "08/09/01 16:52:32 -0700" | sed '1,$s/^/* /' * * David Wagner wrote: * *> richard offer wrote: *> > I really don't like the idea of forcing the use of the /proc filesystem *> > just to enable the use of LSM. *> > *> > This could affect the uptake of LSM in the embedded space. *> *> Do we have any evidence from real embedded guys that they actually want *> to use non-trivial LSM modules? (Non-trivial enough that they need to be *> controlled through /proc, that is.) I don't know whether there are any *> embedded folks on this list, but maybe this isn't even a problem. * * I'd agree that an embedded system that's fussy about the use of /proc is * also likely so small that they don't want big LSM modules. That rules out the use of an LSM policy (SELinux/audit/MAC) on firewalls, routers and other network devices. Its not that they don't have the room for it, but forcing anyone to do anything before they can use something that you're trying to sell them makes the job harder. Its going to be hard enough as it is. David said :- * As you say, it needs to be measured. However, unless I missed something * above, my view is that, in absence of measurements or other evidence to * the contrary, we should proceed on the assumption that we can make the * performance of a /proc-based solution good enough, if we want to do so. I disagree, our existing code (SELinux, SubDomain, audit, MAC) are all system call based, as is the rest of unix, unless there are overwelming technical reasons for not multiplexing a single system call I believe we should move forward with that. * * Crispin * richard. ----------------------------------------------------------------------- Richard Offer Technical Lead, Trust Technology, SGI "Specialization is for insects" _______________________________________________________________________ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 17:32:41 PDT