Hi,
I just wanted to voice my opinion about the static LSM changes.
(I apologize about being late[1] to the discussion[2] -- I'd only recently
become aware of it.) I'm personally really against this. For example,
I want to give people choice about their security protections in Ubuntu,
and I'd like to let them pick the MAC that suits their needs.
Some people want SELinux, some people want AppArmor. (Yes, I know
AppArmor isn't in mainline yet, but it does seem they're getting closer --
three distros are shipping AppArmor. The static changes feel motivated
by political rather than technical reason -- though it of course have
technical merit.) Considering things like SMACK and TOMOYO, it is going
to be very troublesome for distros to have to start building multiple
kernels to support each given MAC that their users want to use.
So, unless this is just re-hashing and you can point me to discussion
points I missed, can someone help me understand the technical issues
around this change? It sounds like the primary reason for making it
non-modular is performance loss due to call overhead. Aren't there
other ways to solve this without removing the boot-time module choice?
(Make it unloadable?)
I'm not convinced that the advantages of making it static out-weigh the
benefit of having it as a choice at boot-time. (I don't really mind
needing a reboot to switch MAC implementations, as long as there is some
benefit from making them unloadable, though it sounds like there are
people would are against making LSMs unloadable too.)
Thanks,
-Kees
/me pops the safety off his fire extinguisher
[1] http://lkml.org/lkml/2007/7/19/228
[2] http://lkml.org/lkml/2007/7/14/91
--
Kees Cook
On Fri, Oct 12, 2007 at 02:42:27PM -0700, Kees Cook wrote:
> I just wanted to voice my opinion about the static LSM changes.
Through the magic of greylisting (thanks vger) and IRC, I've just had a
chat with Arjan and GregKH about this stuff. So, just to follow up for
people interested in watching me talk to myself:
- while an LSM must be compiled in, they are not mutually exclusive,
and the desired module can be selected at boot-time.
As such, I don't have any strong objections. It'd be nice for folks
doing LSM development to allow for a way for it to be modular, but I'll let
them fight for that. :)
Sorry for the noise,
-Kees
--
Kees Cook