Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759169AbXFZSUB (ORCPT ); Tue, 26 Jun 2007 14:20:01 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1757282AbXFZSTw (ORCPT ); Tue, 26 Jun 2007 14:19:52 -0400 Received: from canuck.infradead.org ([209.217.80.40]:43282 "EHLO canuck.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756972AbXFZSTv (ORCPT ); Tue, 26 Jun 2007 14:19:51 -0400 Date: Tue, 26 Jun 2007 11:18:23 -0700 From: Greg KH To: "Serge E. Hallyn" Cc: Adrian Bunk , "Serge E. Hallyn" , James Morris , Andreas Gruenbacher , Chris Wright , linux-security-module@vger.kernel.org, Andrew Morgan , Andrew Morton , Stephen Smalley , lkml , Arjan van de Ven , Eric Paris Subject: Re: [PATCH try #2] security: Convert LSM into a static interface Message-ID: <20070626181823.GA5602@kroah.com> References: <20070617135239.GA17689@sergelap> <20070624220903.GB3723@sequoia.sous-sol.org> <200706252237.59226.agruen@suse.de> <20070626035731.GA16313@vino.hallyn.com> <20070626131519.GH1094@stusta.de> <20070626140644.GB8615@sergelap.austin.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070626140644.GB8615@sergelap.austin.ibm.com> User-Agent: Mutt/1.5.15 (2007-04-06) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2606 Lines: 66 On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote: > Quoting Adrian Bunk (bunk@stusta.de): > > On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote: > > > Quoting James Morris (jmorris@namei.org): > > > > On Mon, 25 Jun 2007, Andreas Gruenbacher wrote: > > > > > > > > > It's useful for some LSMs to be modular, and LSMs which are y/n options won't > > > > > have any security architecture issues with unloading at all. > > > > > > > > Which LSMs? Upstream, there are SELinux and capabilty, and they're not > > > > safe as loadable modules. > > > > > > > > > The mere fact > > > > > that SELinux cannot be built as a module is a rather weak argument for > > > > > disabling LSM modules as a whole, so please don't. > > > > > > > > That's not the argument. Please review the thread. > > > > > > The argument is 'abuse', right? > > > > > > Abuse is defined as using the LSM hooks for non-security applications, > > > right? > > > > > > It seems to me that the community is doing a good job of discouraging > > > such abuse - by redirecting the "wrong-doers" to implement proper > > > upstream solutions, i.e. taskstats, the audit subsystem, etc. > > > > > > Such encouragement seems a far better response than taking away freedoms > > > and flexibility from everyone. > > > > We are not living in a world where everyone had good intentions... > > Oh no, i took a wrong turn somewhere :) > > > For _some_ "wrong-doers" your approach works. > > > > But how do you convince the "wrong-doers" who do things like putting > > MODULE_LICENSE("GPL") into their binary-only modules and who ignore you > > and get away because noone sues them? > > Do these really exist? Yes they do. > Maybe noone sues them because noone knows who they are... Maybe no one knows because the people doing the legal action against them are trying to be nice and do it quietly. And legal action takes time, it is quite slow going unfortunatly. Heck, I've seen code that is even properly licensed under the GPL abuse this security layer for things it was not ment to do at all, and that stuff comes from _very_ big companies that really should know better... So I agree that we should unexport it. It will make people who want to abuse the interface at least think twice about it. thanks, greg "I want to mark structures read-only" k-h - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/