Re: Willing to change LSM so secondary defaults correct

From: Greg KH (gregat_private)
Date: Thu Dec 26 2002 - 10:19:26 PST

  • Next message: David Wheeler: "Re: Willing to change LSM so secondary defaults correct"

    On Tue, Dec 24, 2002 at 12:22:21PM -0800, Crispin Cowan wrote:
    > David Wheeler wrote:
    > 
    > >However, before doing so, I want to hear any comments.
    > >If people often want to mix in the capability module with another
    > >secondary module when they have a single child,
    > 
    > Single child; hmmm. Does that mean "stacker + one functional module"? Or 
    > "stacker + capabilities + one other module"? I expect the common cases 
    > to be:
    > 
    >   1. capabilities only: oblivious users who don't do anything to
    >      enhance kernel security, and just load up the defaults.
    
    Hm, tell us how you really feel about "oblivious users" :)
    
    >   2. capabilities + OWLSM: nearly oblivious users who want to just add
    >      the "zero management" security of OWLSM.
    
    owlsm already merges both functionality together today in one module, no
    "stacking" needed.
    
    >   3. capabilities + OWLSM + MAC: where "MAC" is one of SELinux, LIDS,
    >      DTE, or SubDomain, etc. Users taking active steps to enhance
    >      security with MAC.
    
    And playing with fire.  Who's going to ever agree to say that their
    module will work just fine stacking with an unknown list of other
    modules.
    
    And who would really want that speed hit on their machine :)
    
    > WireX will probably go with #3 or #4, plus some additional modules of 
    > our own. Get your own magic 8 ball to predict the order of popularity :-)
    
    I wish your benchmarks well...
    
    thanks,
    
    greg k-h
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Dec 26 2002 - 16:47:16 PST