From: Paul Moore <paul@paul-moore.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
LKLM <linux-kernel@vger.kernel.org>,
SE Linux <selinux@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
John Johansen <john.johansen@canonical.com>,
Eric Paris <eparis@redhat.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
Date: Wed, 24 Apr 2013 14:57:55 -0400 [thread overview]
Message-ID: <3554062.6nBMExN24s@sifl> (raw)
In-Reply-To: <5176B0F6.7080506@schaufler-ca.com>
On Tuesday, April 23, 2013 09:04:06 AM Casey Schaufler wrote:
> Subject: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
>
> Change the infrastructure for Linux Security Modules (LSM)s from a
> single vector of hook handlers to a list based method for handling
> multiple concurrent modules.
>
> The "security=" boot option takes a comma separated list of LSMs,
> registering them in the order presented. The LSM hooks will be
> executed in the order registered. Hooks that return errors are
> not short circuited. All hooks are called even if one of the LSM
> hooks fails. The result returned will be that of the last LSM
> hook that failed.
...
> The NetLabel, XFRM and secmark facilities are restricted to use
> by one LSM at a time. This is due to limitations of the underlying
> networking mechanisms. The good news is that viable configurations
> can be created. The bad news is that the complexity of configuring
> a system is necessarily increased.
I know we had a good discussion about this a while back and I just wanted to
hear from you about this current patchset; how does the labeled networking LSM
assignment work? Is it first-come-first-served based on the 'security='
setting?
--
paul moore
www.paul-moore.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
LKLM <linux-kernel@vger.kernel.org>,
SE Linux <selinux@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
John Johansen <john.johansen@canonical.com>,
Eric Paris <eparis@redhat.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
Date: Wed, 24 Apr 2013 14:57:55 -0400 [thread overview]
Message-ID: <3554062.6nBMExN24s@sifl> (raw)
In-Reply-To: <5176B0F6.7080506@schaufler-ca.com>
On Tuesday, April 23, 2013 09:04:06 AM Casey Schaufler wrote:
> Subject: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
>
> Change the infrastructure for Linux Security Modules (LSM)s from a
> single vector of hook handlers to a list based method for handling
> multiple concurrent modules.
>
> The "security=" boot option takes a comma separated list of LSMs,
> registering them in the order presented. The LSM hooks will be
> executed in the order registered. Hooks that return errors are
> not short circuited. All hooks are called even if one of the LSM
> hooks fails. The result returned will be that of the last LSM
> hook that failed.
...
> The NetLabel, XFRM and secmark facilities are restricted to use
> by one LSM at a time. This is due to limitations of the underlying
> networking mechanisms. The good news is that viable configurations
> can be created. The bad news is that the complexity of configuring
> a system is necessarily increased.
I know we had a good discussion about this a while back and I just wanted to
hear from you about this current patchset; how does the labeled networking LSM
assignment work? Is it first-come-first-served based on the 'security='
setting?
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2013-04-24 18:58 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5176ABB7.5080300@schaufler-ca.com>
2013-04-23 16:04 ` [PATCH v13 0/9] LSM: Multiple concurrent LSMs Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-24 18:57 ` Paul Moore [this message]
2013-04-24 18:57 ` Paul Moore
2013-04-24 20:22 ` Casey Schaufler
2013-04-24 20:22 ` Casey Schaufler
2013-04-24 21:15 ` Paul Moore
2013-04-24 21:15 ` Paul Moore
2013-04-24 23:00 ` John Johansen
2013-04-25 0:43 ` Casey Schaufler
2013-04-25 0:43 ` Casey Schaufler
2013-04-25 14:16 ` Tetsuo Handa
2013-04-25 15:01 ` Paul Moore
2013-04-25 15:01 ` Paul Moore
2013-04-25 18:09 ` Casey Schaufler
2013-04-25 18:09 ` Casey Schaufler
2013-04-25 19:14 ` Paul Moore
2013-04-25 19:14 ` Paul Moore
2013-04-25 20:21 ` Casey Schaufler
2013-04-25 20:21 ` Casey Schaufler
2013-04-25 21:05 ` Kees Cook
2013-04-25 21:26 ` Paul Moore
2013-04-25 21:26 ` Paul Moore
2013-04-23 16:04 ` [PATCH v13 1/9] LSM: Security blob abstraction Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 2/9] LSM: Complete conversion to kill_pid_info_as_cred Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 3/9] LSM: Multiple concurrent secids Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 4/9] LSM: Multiple security context maintenance Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 5/9] LSM: Networking component isolation Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-24 18:51 ` Paul Moore
2013-04-24 18:51 ` Paul Moore
2013-04-24 19:09 ` Casey Schaufler
2013-04-24 19:09 ` Casey Schaufler
2013-04-24 21:04 ` Paul Moore
2013-04-24 21:04 ` Paul Moore
2013-04-23 16:04 ` [PATCH v13 6/9] LSM: Additional interfaces in /proc/pid/attr Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 7/9] LSM: remove Yama special case stacking Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 20:12 ` Kees Cook
2013-04-23 16:04 ` [PATCH v13 8/9] LSM: Hook list management Casey Schaufler
2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:05 ` [PATCH v13 9/9] LSM: Documentation and cleanup Casey Schaufler
2013-04-23 16:05 ` Casey Schaufler
2013-04-23 19:02 ` Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3554062.6nBMExN24s@sifl \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.