Re: Submitting LSM (Was: Re: OLS Bof info)

• Previous message: Chris Wright: "Re: New hooks for sock structure"
• In reply to: Stephen Smalley: "Submitting LSM (Was: Re: OLS Bof info)"
• Next in thread: James Morris: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Stephen Smalley (sdsat_private) wrote:
> I'm not clear as to whether we need to continue waiting on the pending VFS
> changes.  The LSM patch and the existing open source security modules
> certainly don't depend on any pending VFS changes (although some of the
> other modules may have dependencies, e.g. SubDomain), so there is no
> benefit to the LSM project to wait on these changes.  If the VFS changes
> aren't a high priority to Al Viro, then is it really critical that we
> wait?

I agree, this is not critical to wait for.

> James pointed out that we can remove the NetFilter IP hooks from LSM and
> simply let the modules register them as necessary.  Is anyone already
> working on a patch for this?  Do we also need to make the non-NetFilter
> IPv4 networking hooks configurable?  What about the skb hooks?  The
> sock_rcv_skb hook?  The socket layer hooks?  Does this need to be done
> prior to initial submission of the LSM patch?

The patch will be submitted as pieces.  So these changes may become
requirements when the networking folks take a look at the patch.

> > Chris wants to convert the VFS interface to a stackable filesystem
> > layout. Who knows when he will get to it. This ought to eliminate pre,
> > post, and mediation hooks. (Patrick jokes VVFS.) This functionality
> > would be useful to more people, such as server-based filesystems,
> > compressed filesystems, encrypted filesystems, etc. What might be lost?
> 
> This seems to be way outside the scope of LSM.  Surely we aren't planning
> on deferring initial submission of LSM until after this kind of change?
> Wasn't this idea rejected a long time ago due to being out of scope and
> due to concerns with exposing too much kernel functionality to loadable
> kernel modules?

Yes, this is not intended for submission.  And no, I don't see any
concern with exposing too much functionality this way.  It's already
possible to plug in a filesystem (i.e. the bits needed are already
exposed).

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: James Morris: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Previous message: Chris Wright: "Re: New hooks for sock structure"
• In reply to: Stephen Smalley: "Submitting LSM (Was: Re: OLS Bof info)"
• Next in thread: James Morris: "Re: Submitting LSM (Was: Re: OLS Bof info)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 13:33:25 PDT