Re: What went wrong with LSM, was: Re: [BK PATCH] LSM changes for 2.5.59

[Casey Schaufler <casey@sgi.com>]

'Christoph Hellwig' wrote:

> And here we see _the_ problem with the LSM process.

I personally don't agree with the subject line,
as I don't believe that anything "went wrong" with
LSM. True, it's not what I want, but then my contribution
wasn't what it needed to be to make it such, either.
I often disagreed with the directions, and was sometimes
surprised, but that kind of thing happens in a large
group environment. My sage wisdom was considered
more often than not, even if it was discarded unused
from time to time.

I've been retrofitting security policy into U2X systems
since the 1980's, first Orange Book and now Common
Criteria, and it's HARD. LSM is a fine first whack.
No one should dispair that it fails to meet a particular
need exactly, or that those meany maintainers won't
accept your hook without seeing the code that uses it.
Alan Cox described the Linux development process as
climbing over a fence with everyones hands in each others
pockets, and I think that describes LSM pretty well.

Advanced security features are unpopular, and
all evidience points to them remaining so. We, as
a development community, have yet to convince the
great insecure masses that they want to see audit
trails, user clearances, and time of day controls
in "their" kernels. Heck, we have yet to convince
each other! But buck up, I fully expect we'll do
better next round, and better the time after that,
as well.

LSM isn't finished because Linux isn't finished
and as a group we security developers are a
tenacious (stubborn? pig headed maybe?) lot.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey@sgi.com				voice: 650.933.1634
casey_p@pager.sgi.com			Pager: 877.557.3184