Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760355AbXF0NmJ (ORCPT ); Wed, 27 Jun 2007 09:42:09 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752050AbXF0Nl5 (ORCPT ); Wed, 27 Jun 2007 09:41:57 -0400 Received: from e35.co.us.ibm.com ([32.97.110.153]:44796 "EHLO e35.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751151AbXF0Nl4 (ORCPT ); Wed, 27 Jun 2007 09:41:56 -0400 Date: Wed, 27 Jun 2007 08:41:49 -0500 From: "Serge E. Hallyn" To: Kyle Moffett Cc: "Serge E. Hallyn" , Andreas Gruenbacher , James Morris , Chris Wright , linux-security-module@vger.kernel.org, Andrew Morgan , Andrew Morton , Stephen Smalley , lkml , Arjan van de Ven , Greg KH , Eric Paris Subject: Re: [PATCH try #2] security: Convert LSM into a static interface Message-ID: <20070627134149.GB2679@sergelap> References: <20070617135239.GA17689@sergelap> <20070624220903.GB3723@sequoia.sous-sol.org> <200706252237.59226.agruen@suse.de> <11C35822-4E11-4365-BADE-C1AE41F15B50@mac.com> <20070626134712.GA8615@sergelap.austin.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.13 (2006-08-11) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2177 Lines: 58 Quoting Kyle Moffett (mrmacman_g4@mac.com): > This whole discussion boils down to 2 points: Yes it can, but not the two you list. > 1) As currently implemented, no LSM may be safely rmmod-ed That's not the rationale for the patch, it's just some talking point you picked up. The rationale for the patch is to prevent abuse. So point 1 is 1) Is the LSM infrastructure being abused, and how detrimental is that abuse As has come up, the abuse comes in two forms, and people seem to want to blur the two forms to make it seem especially relevant and heinous... > 2) Someone has submitted a patch which fixes that problem (you > can't rmmod them at all, so no crashes) 2) Is the loss of flexibility in the LSM framework a worthwhile tradoff against the abuse prevention. Clearly I and a very few others feel no, and a very vocal set (which sure sounds like a majority) says yes. Now quit trying to give technical justifications for something which is technical only insofar as it is a technical roadblock to prevent a legal problem. > If you really want to do modular LSMs, then you need to submit a > patch which fixes all the race conditions in LSM removal *without* LSM is an infrastructure. It's up to the modules to provide that, and it can be done. DTE used to do it. Dirjail used to do it. Capability does it. And since LSM won't be modular anymore it doesn't matter. > adding much extra overhead. I'm sure if your solutions works then > everyone will be much more open to modular LSMs. I said this before: Another blatant lie, not unlike "come to the table to upstream your LSM, and we'll help you, honest." (The funny thing about that is, I actually like SELinux, more than the alternatives in general. I just can't stand the attitudes voice by much of its camp.) -serge PS - should we rename 'LSM' to 'LSI' - linux security infrastructure? Calling it LSM now is kind of moronic. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/