Re: Submitting LSM (Was: Re: OLS Bof info)

• Previous message: Stephen Smalley: "Submitting LSM (Was: Re: OLS Bof info)"
• In reply to: Stephen Smalley: "Submitting LSM (Was: Re: OLS Bof info)"
• Next in thread: Stephen Smalley: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Next in thread: Chris Wright: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Reply: Stephen Smalley: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 10, 2002 at 02:37:38PM -0400, Stephen Smalley wrote:
> 
> Since James has flattened the hooks, it would be good if we could nail
> down exactly what else needs to be done prior to formally submitting LSM
> for consideration to the kernel developers and parcel out tasks.  Any
> timeline on when Greg might start feeding patches to Linus?  Looking
> at Seth's notes from the OLS BOF:

I'd be glad to start feeding them, but want to see the following done
first:
	- split out the "non LSM" patches from the tree and send those
	  first.
	- either remove, or provide a config option to remove the
	  network hooks.  Robert Love gave me the idea of how to make
	  them configurable that I'd be glad to do if someone wants me
	  to.  Actually, I could make all the hooks configurable if we
	  want to (header file judo is fun :)

> James pointed out that we can remove the NetFilter IP hooks from LSM and
> simply let the modules register them as necessary.  Is anyone already
> working on a patch for this?  Do we also need to make the non-NetFilter
> IPv4 networking hooks configurable?  What about the skb hooks?  The
> sock_rcv_skb hook?  The socket layer hooks?  Does this need to be done
> prior to initial submission of the LSM patch?

I think yes.  The network portion of LSM will have to go through the
network people, and that might be a tough thing :)

> > Chris wants to convert the VFS interface to a stackable filesystem
> > layout. Who knows when he will get to it. This ought to eliminate pre,
> > post, and mediation hooks. (Patrick jokes VVFS.) This functionality
> > would be useful to more people, such as server-based filesystems,
> > compressed filesystems, encrypted filesystems, etc. What might be lost?
> 
> This seems to be way outside the scope of LSM.  Surely we aren't planning
> on deferring initial submission of LSM until after this kind of change?
> Wasn't this idea rejected a long time ago due to being out of scope and
> due to concerns with exposing too much kernel functionality to loadable
> kernel modules?

No, we don't want to wait to submit LSM for this feature.  You are
correct in that it is a "nice to have" thing, that we might eventually
get in 2.7 if Chris has the time :)

thanks,

greg k-h
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: New hooks for sock structure"
• Previous message: Stephen Smalley: "Submitting LSM (Was: Re: OLS Bof info)"
• In reply to: Stephen Smalley: "Submitting LSM (Was: Re: OLS Bof info)"
• Next in thread: Stephen Smalley: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Next in thread: Chris Wright: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Reply: Stephen Smalley: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 12:17:23 PDT