Re: How will LSM evolve?

From: Chris Wright (chrisat_private)
Date: Mon Apr 08 2002 - 14:10:48 PDT

  • Next message: Chris Wright: "Re: How will LSM evolve?"

    * Charles Levert (LMC) (Charles.Levertat_private) wrote:
    > Hi.
    > 
    > After a discussion with my colleagues today, I wondered about the
    > following.  The kernel evolves all the time.  There will always be
    > patches available for it; some will be integrated, but others will
    > appear.  Assume that, e.g., the IPSec functionality from FreeS/WAN
    > would already be in the standard 2.4 kernel from which the LSM effort
    > was started.  Further assume that, were that the case, there would
    > have been one or more LSM hooks in that IPSec code.
    > 
    > Now, the reality is that IPSec is still a patch.  If, as is the plan,
    > LSM is integrated in the standard kernel, and if, later, the IPSec code
    > were also to be merged in with new hooks, what would be the consequences:
    > 	-- for existing object modules ?
    > 	-- for existing source modules (simple recompilation, or more)?
    
    First off, you have to assume that if LSM is in the mainline kernel,
    that is the standard interface.  Anything that lives outside the
    mainline and augments the interface is a patch and not under control of
    LSM, kernel, etc.
    
    The existing way to extend the interface is by adding new callbacks to
    the framework and augmenting the modules to implement the new callbacks.
    If your hypothetical code + hook(s) were added to the kernel, the
    interface would have to change accordingly.  Currently there is a version
    tag associated with the interface and a check that all callbacks are
    properly filled in, so object modules or simply recompiled source modules
    not using the new interface would fail to load.
    
    > What will be the general instructions for producing patches that want
    > to add new hooks?  In other words, how will LSM evolve once it's in
    > the standard kernel?  What will be the issues?
    
    I've been pondering this myself.  A general rule of thumb for the kernel
    is it's internal interface (non-syscall interface exported to modules)
    is never considered fully stable.  In accordance with this, modules
    that live in tree should be kept up to date with interface changes,
    but even this is not guaranteed.
    
    Does this help answer your questions?
    
    cheers,
    -chris
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 14:12:40 PDT