Re: [patch 1/3] lsm: add bsdjail module

[Chris Wright <chrisw@osdl.org>]

* Andrew Morton (akpm@osdl.org) wrote:
> Chris Wright <chrisw@osdl.org> wrote:
> > * Andrew Morton (akpm@osdl.org) wrote:
> > Which feature are you concerned over, the additional hook or the
> > new module?
> 
> I am concerned about the presence of new code - simple as that.

Understood.

> We need to be able to demonstrate that the new code is sufficiently useful
> to a sufficiently large number of people as to warrant the cost of
> maintaining it in the tree for the rest of eternity.

That's fine.  Serge, can you enlighten us with an idea of the users of
this code?

> >  The module is a no-op for anybody who doesn't want it.
> 
> It still needs to be maintained.

Absolutely.

> > I can't vouch for the number of users of this module although I've seen
> > some positive feedback from users.  One nice bit is that it goes a way
> > towards helping vserver which does have quite a few users.
> 
> Tell us more.

One portion of the vserver project (that which has to do with security
and isolation) could be largely covered by this work.  And vserver
is an active project with many users AFAICT.  The vserver maintainer
has expressed some interest in this as well.  The other portion of the
project, which does the resource limiting has a decent chance of working
well with something like CKRM or similar.

> >  This module
> > really demonstrates one of the points of LSM...to support multiple
> > security models.
> 
> Sure.  But that doesn't mean that those modules have to live at kernel.org
> rather than, say, at bsdjail.sourceforge.net.

I agree, some userbase does wonders to justify mainlining the code.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net