Re: [PATCH] remove sys_security

From: Greg KH (gregat_private)
Date: Fri Oct 18 2002 - 09:53:51 PDT

  • Next message: Russell Coker: "Re: [PATCH] remove sys_security"

    On Fri, Oct 18, 2002 at 05:33:39PM +0100, Christoph Hellwig wrote:
    > 
    > And exactly these hooks harm.  They are all over the place, have performance
    > and code size impact and mess up readability.  Why can't you just maintain
    > an external patch like i.e. mosix folks that nead similar deep changes?
    
    They do not have performance impacts (with the minor exception of
    networking, which has been talked about before), and now they do not
    have any size impact.  As for readability, that is also not an issue.
    
    And no, we do not want to maintain an external patch, as that's not what
    this project is about.  At the first kernel summit, Linus said he wanted
    this patch to allow people to pick their own security model (so we
    didn't have to end up with SELinux as a default, vs. LIDS, vs.
    SubDomain, vs. whatever.)  At the second kernel summit, this patch was
    again talked about, and was stated that it would be accepted, as we met
    the goals initially talked about (mediation of kernel objects, not
    syscalls or auditing.)
    
    The whole idea of this patch is for it to be in the kernel, having it
    external, doesn't help anyone out, they might as well just do their own
    thing, like they were doing before.
    
    Now there is no size impact, and no performance impact if you disable
    the config option (which is the default right now!)  I'm all for
    dropping the syscall too, if the SELinux people, or someone else doesn't
    speak up as to why they really need it.  The hooks have a real design
    and purpose, as we've constantly pointed out in our documentation, and
    they have been validated by others in their USENIX papers.
    
    I know you've never liked this patch, I'm sorry.  Lots of other people
    do :)
    
    thanks,
    
    greg k-h
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 09:55:26 PDT