Re: [BK PATCH] LSM changes for 2.5.59

From: Crispin Cowan (crispinat_private)
Date: Wed Feb 12 2003 - 14:22:34 PST

  • Next message: David Wagner: "Re: [BK PATCH] LSM changes for 2.5.59"

    'Christoph Hellwig' wrote:
    
    >[argg, any chance you two could get RFC-complaint mailers?]
    >
    >On Wed, Feb 12, 2003 at 07:11:09PM +0000, magniett wrote:
    >  
    >
    >>exist. For finishing : PLEASE, stop reducing LSM possibilities : it cost a lot to develop things for a hook and then
    >>redevelopping it for a classical syscall interposition.
    >>    
    >>
    >There's no one taking away the LSM patches.  Anyway life would be a lot
    >simpler if you actually announced the stuff you do on lkml instead of hiding
    >behind the moon.  The only chance hook you need will stay is that you
    >discuss them publically here.
    >
    For the second time in a week, I agree with HCH: If you are developing 
    an LSM module, then by all means please make it publicly known. Whether 
    we host your source or not, we want to at least link to your site from 
    http://lsm.immunix.org/lsm_modules.html
    
    WRT "taking away LSM patches": HCH wants to remove hooks that "no one 
    uses" and also complains about LSM being a big ugly undesigned hack 
    lacking abstraction. LSM does have an abstract design: it mediates 
    access to major internal kernel objects (processes, inodes, etc.) by 
    user-space processes, throwing access requests out to the LSM module. If 
    you remove some of these hooks because they don't have a *present* 
    module using them, then you break the abstraction.
    
    People tell me that preserving functionality for the sake of abstraction 
    is "not the Linux way". Ok, sure, but you degrade the quality of 
    abstraction if you aggressively prune the interface.
    
    But it would be much better to short-circuit that debate, and have 
    extant modules that use the hooks than to try to defend them on the 
    basis of abstraction. So if your sekrit module uses a hook, post here, 
    or your hook may go away.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    			    Just say ".Nyet"
    
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 14:23:02 PST