Since James has flattened the hooks, it would be good if we could nail down exactly what else needs to be done prior to formally submitting LSM for consideration to the kernel developers and parcel out tasks. Any timeline on when Greg might start feeding patches to Linus? Looking at Seth's notes from the OLS BOF: On Thu, 27 Jun 2002, Seth Arnold wrote: > Q: "Is there still a qwait for p[ending VFS changes?" A: "Al Viro claims > to be working on it, not likely this is his highest priority. We could > make the changes for him, but it would require making changes to > filesystems, which would be a lot of work; since it is Al's subsystem, > we need to work with him." > > q: "If we are waiting on VFS, is it just the VFS piece that needs to > wait, or the whole patch?" A: "It is only the VFS pieces that need to > wait, but the other pieces are useless in comparison." "The major > rearrangements to the VFS subsystem are probably done, but we've been > trying to get him to finish it off since December; the extended > attributes people have asked him to do add the same functionality." I'm not clear as to whether we need to continue waiting on the pending VFS changes. The LSM patch and the existing open source security modules certainly don't depend on any pending VFS changes (although some of the other modules may have dependencies, e.g. SubDomain), so there is no benefit to the LSM project to wait on these changes. If the VFS changes aren't a high priority to Al Viro, then is it really critical that we wait? > 2.5 submission: > > We will need to flatten the security structure; who wants grunt work? James has done this. > We will probably need to get the networking hooks configurable. James pointed out that we can remove the NetFilter IP hooks from LSM and simply let the modules register them as necessary. Is anyone already working on a patch for this? Do we also need to make the non-NetFilter IPv4 networking hooks configurable? What about the skb hooks? The sock_rcv_skb hook? The socket layer hooks? Does this need to be done prior to initial submission of the LSM patch? > Chris wants to convert the VFS interface to a stackable filesystem > layout. Who knows when he will get to it. This ought to eliminate pre, > post, and mediation hooks. (Patrick jokes VVFS.) This functionality > would be useful to more people, such as server-based filesystems, > compressed filesystems, encrypted filesystems, etc. What might be lost? This seems to be way outside the scope of LSM. Surely we aren't planning on deferring initial submission of LSM until after this kind of change? Wasn't this idea rejected a long time ago due to being out of scope and due to concerns with exposing too much kernel functionality to loadable kernel modules? -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 11:39:29 PDT