From: Andreas Gruenbacher <agruen@suse.de>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Fricaccia <thomas_fricacci@yahoo.com>,
linux-kernel@vger.kernel.org
Subject: Re: LSM conversion to static interface
Date: Fri, 19 Oct 2007 22:26:53 +0200 [thread overview]
Message-ID: <200710192226.53233.agruen@suse.de> (raw)
In-Reply-To: <alpine.LFD.0.999.0710171913270.26902@woody.linux-foundation.org>
On Thursday 18 October 2007 04:18, Linus Torvalds wrote:
> On Wed, 17 Oct 2007, Thomas Fricaccia wrote:
> >
> > But then I noticed that, while the LSM would remain in existence, it was
> > being closed to out-of-tree security frameworks. Yikes! Since then,
> > I've been following the rush to put SMACK, TOMOYO and AppArmor
> > "in-tree".
>
> Yeah, it did come up. Andrew, when he sent it on to me, said that the SuSE
> people were ok with it (AppArmor), but I'm with you - I applied it, but
> I'm also perfectly willing to unapply it if there actually are valid
> out-of-tree users that people push for not merging.
The patch doesn't hurt AppArmor, but it's still a step in the wrong direction.
Quoting from commit 20510f2f (Convert LSM into a static interface):
> In a nutshell, there is no safe way to unload an LSM. The modular interface
> is thus unecessary and broken infrastructure. It is used only by
> out-of-tree modules, which are often binary-only, illegal, abusive of the
> API and dangerous, e.g. silently re-vectoring SELinux.
This is idiotic. Just because there is no safe way to unload SELinux
- doesn't mean there is no safe way to unload other LSMs: if nothing
but that, unloading is handy during development.
- doesn't mean that module *loading* is unsafe. The patch removes module
loading as well, which hurts more than removing module unloading.
LSM can be abused ... so what, this doesn't mean the interface is bad. Non-LSM
loadable modules have been known to do lots of bad things, and yet nobody
made them non-loadable either (yet).
> [...]
> For example, I do kind of see the point that a "real" security model might
> want to be compiled-in, and not something you override from a module.
Non-trivial modules (i.e., practically everything beyond capabilities) become
effective only after loading policy, anyway. If you can load policy, you can
as well first load a security module without making the system insecure.
Thanks,
Andreas
next prev parent reply other threads:[~2007-10-19 20:25 UTC|newest]
Thread overview: 140+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <167451.96128.qm@web38607.mail.mud.yahoo.com>
2007-10-18 2:18 ` LSM conversion to static interface Linus Torvalds
2007-10-19 20:26 ` Andreas Gruenbacher [this message]
2007-10-19 20:40 ` Linus Torvalds
2007-10-20 11:05 ` Jan Engelhardt
2007-10-20 22:57 ` James Morris
2007-10-21 22:59 ` Adrian Bunk
2007-10-23 4:09 ` LSM conversion to static interface [revert patch] Arjan van de Ven
2007-10-23 4:56 ` James Morris
2007-10-23 4:57 ` Arjan van de Ven
2007-10-23 5:16 ` Chris Wright
2007-10-23 9:10 ` Jan Engelhardt
2007-10-23 9:13 ` Chris Wright
2007-10-23 9:14 ` Jan Engelhardt
2007-10-24 0:31 ` Jeremy Fitzhardinge
2007-10-24 0:32 ` Chris Wright
2007-10-24 5:06 ` Arjan van de Ven
2007-10-24 11:50 ` Linux Security *Module* Framework (Was: LSM conversion to static interface Simon Arlott
2007-10-24 12:55 ` Adrian Bunk
2007-10-24 18:11 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Simon Arlott
2007-10-24 18:51 ` Jan Engelhardt
2007-10-24 18:59 ` Simon Arlott
2007-10-24 19:04 ` Jan Engelhardt
2007-10-24 21:02 ` David P. Quigley
2007-10-24 21:37 ` Serge E. Hallyn
2007-10-24 21:51 ` Jan Engelhardt
2007-10-24 22:02 ` David P. Quigley
2007-10-24 23:13 ` Jan Engelhardt
2007-10-25 1:50 ` david
2007-10-25 3:50 ` Kyle Moffett
2007-10-24 21:42 ` Jan Engelhardt
2007-10-24 21:58 ` Casey Schaufler
2007-10-24 22:04 ` David P. Quigley
2007-10-25 11:38 ` Simon Arlott
2007-10-24 20:18 ` Crispin Cowan
2007-10-24 20:46 ` Jan Engelhardt
2007-10-24 21:29 ` Casey Schaufler
2007-10-24 22:31 ` Adrian Bunk
2007-10-24 22:58 ` Casey Schaufler
2007-10-24 23:32 ` Adrian Bunk
2007-10-24 23:42 ` Linus Torvalds
2007-10-25 0:41 ` Chris Wright
2007-10-25 2:19 ` Arjan van de Ven
2007-10-30 3:37 ` Toshiharu Harada
2007-10-25 1:03 ` Casey Schaufler
2007-10-25 0:23 ` Chris Wright
2007-10-25 0:35 ` Ray Lee
2007-10-25 1:26 ` Peter Dolding
2007-10-25 1:41 ` Alan Cox
2007-10-25 2:11 ` david
2007-10-25 18:17 ` Ray Lee
2007-10-25 22:21 ` Alan Cox
2007-10-26 3:45 ` david
2007-10-26 5:44 ` Peter Dolding
2007-10-27 18:29 ` Pavel Machek
2007-10-28 18:48 ` Hua Zhong
2007-10-28 19:05 ` Hua Zhong
2007-10-28 22:08 ` Crispin Cowan
2007-10-28 22:50 ` Alan Cox
2007-11-26 20:42 ` serge
2007-10-28 23:55 ` Peter Dolding
2007-10-29 5:12 ` Arjan van de Ven
2007-10-25 9:19 ` Bernd Petrovitsch
2007-10-25 16:04 ` Ray Lee
2007-10-25 17:10 ` Arjan van de Ven
2007-10-30 9:41 ` Bernd Petrovitsch
2007-10-25 1:42 ` Casey Schaufler
2007-10-27 18:22 ` Pavel Machek
2007-10-28 19:42 ` Linux Security *Module* Framework Tilman Schmidt
2007-10-28 20:46 ` Jan Engelhardt
2007-10-30 3:23 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Toshiharu Harada
2007-10-30 8:40 ` Jan Engelhardt
2007-10-30 8:50 ` Crispin Cowan
2007-10-30 9:27 ` Jan Engelhardt
2007-10-30 9:21 ` Toshiharu Harada
2007-10-25 11:44 ` Simon Arlott
2007-10-25 23:09 ` Tilman Schmidt
2007-10-26 2:56 ` Greg KH
2007-10-26 7:09 ` Jan Engelhardt
2007-10-26 15:54 ` Greg KH
2007-10-26 9:46 ` Tilman Schmidt
2007-10-26 15:58 ` Greg KH
2007-10-26 16:32 ` Simon Arlott
2007-10-27 14:07 ` eradicating out of tree modules (was: Linux Security *Module* Framework) Tilman Schmidt
2007-10-28 1:21 ` Adrian Bunk
2007-10-26 23:26 ` Linux Security *Module* Framework (Was: LSM conversion to static interface) Adrian Bunk
2007-10-27 14:47 ` eradicating out of tree modules (was: : Linux Security *Module* Framework) Tilman Schmidt
2007-10-27 17:31 ` eradicating out of tree modules Stefan Richter
2007-10-28 0:55 ` eradicating out of tree modules (was: : Linux Security *Module* Framework) Adrian Bunk
2007-10-28 9:25 ` eradicating out of tree modules Stefan Richter
2007-10-28 12:01 ` Tilman Schmidt
2007-10-28 14:37 ` Stefan Richter
2007-10-28 14:59 ` Simon Arlott
2007-10-28 16:55 ` Tilman Schmidt
2007-10-28 18:51 ` Tilman Schmidt
2007-10-28 19:25 ` Adrian Bunk
2007-10-30 0:29 ` Tilman Schmidt
2007-10-30 13:11 ` linux-os (Dick Johnson)
2007-10-30 13:19 ` Xavier Bestel
2007-10-30 15:30 ` Greg KH
2007-10-29 23:51 ` Out-of-tree modules [was: Linux Security *Module* Framework] Jan Engelhardt
2007-10-30 0:46 ` Lee Revell
2007-10-30 1:19 ` Jan Engelhardt
2007-10-27 14:08 ` Linux Security *Module* Framework (Was: LSM conversion to static interface Tetsuo Handa
2007-11-05 6:42 ` Crispin Cowan
2007-10-23 9:13 ` Jan Engelhardt
2007-10-23 5:44 ` Giacomo Catenazzi
2007-10-23 8:55 ` Jan Engelhardt
2007-10-23 9:14 ` Giacomo A. Catenazzi
2007-10-23 9:18 ` Jan Engelhardt
2007-10-23 15:20 ` Serge E. Hallyn
2007-10-23 15:28 ` Jan Engelhardt
2007-10-23 15:34 ` Serge E. Hallyn
2007-10-25 10:23 ` Valdis.Kletnieks
2007-10-19 21:07 ` James Morris
2007-10-22 1:12 ` Crispin Cowan
2007-10-25 11:33 Jan Engelhardt
2007-10-26 10:40 ` Samir Bellabes
-- strict thread matches above, loose matches on Subject: below --
2007-10-22 17:00 Thomas Fricaccia
2007-10-22 17:12 ` Alan Cox
2007-10-22 17:13 ` Greg KH
2007-10-23 5:14 ` Crispin Cowan
2007-10-23 5:32 ` david
2007-10-23 11:38 ` Simon Arlott
2007-10-23 5:53 ` Giacomo Catenazzi
2007-10-23 7:12 ` Crispin Cowan
2007-10-23 8:17 ` Giacomo A. Catenazzi
2007-10-24 3:41 ` Greg KH
2007-10-22 2:24 Thomas Fricaccia
2007-10-22 3:59 ` Greg KH
2007-10-22 17:47 ` Avi Kivity
2007-10-23 16:05 ` Adrian Bunk
2007-10-23 16:52 ` Geert Uytterhoeven
2007-10-22 10:07 ` Alan Cox
2007-10-22 16:10 ` Crispin Cowan
2007-10-22 16:50 ` Alan Cox
2007-10-22 16:56 ` Greg KH
2007-10-18 1:34 Thomas Fricaccia
2007-10-18 2:03 ` Casey Schaufler
2007-10-18 2:21 ` Linus Torvalds
2007-10-18 3:06 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200710192226.53233.agruen@suse.de \
--to=agruen@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=thomas_fricacci@yahoo.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.