On Mon, Aug 06, 2001 at 10:43:46AM -0700, Crispin Cowan wrote: > > IMHO, the "DAC-out" plan doesn't have a snowball's chance in hell. > I put the question to Ted just to get a definitive opinion. Even if > Ted does come back with "we don't care" (improbable) I still beleive > that a solid majority of the LSM implementers are opposed to > DAC-out. Sorry for the delay in responding, I was at the IETF meeting last week, and was distracted by a number of other issues (beware having reporters on mailing lists, because they will badly misinterpret e-mail messages and spawn headlines in Network World of the form "IETF abandons critical VPN technology", when nothing could be further from the truth. I heard that misinformation reached as far as the news summary sheet for the FBI. :-/ ) This week I'm on vacation, but I'm staying at Stephen Tweedie's house to attend the Edinburgh Festival (and to get some ext3 hacking done), which means that I have network connectivity... So I just took a look at the flame ware on this thread so I could get a sense of the arguments, and here's my "authoratative ruling" (gee, I feel like I'm being asked to play the role of King Solomon --- but please remember, I'm NOT the King Penguin :-) I would suggest that what's most likely to get into the kernel is something where the Linux Security Module can be made *optional*. What I mean by that is that there's a CONFIG_LSM which if turned off, changes all of the callouts to be no-ops, via the magic of some C preprocessor functions which either call out to the structure pointers, or become a no-op. If capabilities are moved out so that they require LSM support, that's probably OK, since they are rarely used, and it means that people can get a slightly smaller kernel if they don't even want to use capabilities. (However, that does mean putting back a simple/limited superuser concept back into the kernel.) On the other hand, if you want to require LSM, that's might be OK, but it had better be lightwieght, and you should have benchmarks to prove it. The other, orthogonal issue is one of minimizing actual changes to the codepaths. That's probably the reason why I would avoid DAC-out in the initial patch which you send to Linus. If you simply are adding callouts in a few locations, it will be a lot easier for the patch to get swallowed as an experimental config option. Then assuming that people are willing to live with LSM, you can propose sending in a patch which moves the traditional Unix DAC handling to a LSM, under the guise of code simplification. But do that as a separate patch, after LSM is accepted into the kernel.... - Ted _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 04:51:56 PDT