Re: How will LSM evolve?

From: Kurt Seifried (listuserat_private)
Date: Mon Apr 08 2002 - 14:52:11 PDT

  • Next message: Crispin Cowan: "Re: How will LSM evolve?"

    > Hi.
    >
    > After a discussion with my colleagues today, I wondered about the
    > following.  The kernel evolves all the time.  There will always be
    > patches available for it; some will be integrated, but others will
    > appear.  Assume that, e.g., the IPSec functionality from FreeS/WAN
    > would already be in the standard 2.4 kernel from which the LSM effort
    > was started.  Further assume that, were that the case, there would
    > have been one or more LSM hooks in that IPSec code.
    >
    > Now, the reality is that IPSec is still a patch.  If, as is the plan,
    > LSM is integrated in the standard kernel, and if, later, the IPSec code
    > were also to be merged in with new hooks, what would be the consequences:
    > -- for existing object modules ?
    > -- for existing source modules (simple recompilation, or more)?
    >
    > What will be the general instructions for producing patches that want
    > to add new hooks?  In other words, how will LSM evolve once it's in
    > the standard kernel?  What will be the issues?
    
    IPSec is a _BAD_ example. It's not well written IMHO (only works for i386 if
    memory serves.... that's pretty lame) in fact they are using a code base
    several years old that they probably should have thrown out and started
    fresh, but haven't. Very few vendors have integrated it into the kernel's
    they ship (for example Red Hat ships CIPE rather then FreeSWAN, that should
    tell you something right there).
    
    LSM OTOH has been designed and written with kernel integration in mind, and
    while Linux kernel changes may break it (for example if they rip out the VM
    system _again_) but it'll get fixed. And vendors will test it to make sure
    it works, realistically most users now run vendor supplied kernels, so it's
    much less of an issue then it used to be.
    
    >
    > Thanks.
    >
    >
    > Charles
    
    
    
    
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 13:53:37 PDT