From: Crispin Cowan <crispin@crispincowan.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Thomas Fricaccia <thomas_fricacci@yahoo.com>,
linux-kernel@vger.kernel.org,
LSM ML <linux-security-module@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: LSM conversion to static interface
Date: Mon, 22 Oct 2007 09:10:31 -0700 [thread overview]
Message-ID: <471CCB77.3040004@crispincowan.com> (raw)
In-Reply-To: <20071022110718.3f781108@the-village.bc.nu>
Alan Cox wrote:
> On Sun, 21 Oct 2007 19:24:42 -0700
> "Thomas Fricaccia" <thomas_fricacci@yahoo.com> wrote
>> Yes, I think Crispin has succinctly summed it up: irrevocably closing
>> the LSM prevents commercial customers from using security modules other
>> than that provided by their Linux distributor. As Sarbanes-Oxley and
>> other regulatory laws require these customers to use "standard
>> kernels", the result is a rather dreary form of vendor lock-in, where the
>> security framework is coupled to the distribution.
>>
> Crispin at least is providing genuine discussion points. Sarbox has
> nothing to say on "using vendor linux kernels".
>
I agree that SarBox is not really the issue here. Partially related is
enterprise rules about what kernels one is allowed to load. More
generally, this change forces users who want to use a different LSM than
their vendor provides to recompile their kernel, where they did not have
to recompile before. It forces LSM module developers who want to modify
their LSM to reboot, where they didn't necessarily have to reboot before.
That is not a catastrophe, it is just tedious. It does not kill baby
seals, and it does not make Linux utterly useless. OTOH, I think it is
strictly negative: it takes away user choice in 2 dimensions, and adds
zero value. So apply it if you must to bake the kernel developer's lives
easier, but it really is a net loss in Linux kernel capability.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Itanium. Vista. GPLv3. Complexity at work
next prev parent reply other threads:[~2007-10-22 16:10 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-22 2:24 LSM conversion to static interface Thomas Fricaccia
2007-10-22 3:59 ` Greg KH
2007-10-22 17:47 ` Avi Kivity
2007-10-23 16:05 ` Adrian Bunk
2007-10-23 16:52 ` Geert Uytterhoeven
2007-10-22 10:07 ` Alan Cox
2007-10-22 16:10 ` Crispin Cowan [this message]
2007-10-22 16:50 ` Alan Cox
2007-10-22 16:56 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2007-10-25 11:33 Jan Engelhardt
2007-10-26 10:40 ` Samir Bellabes
2007-10-22 17:00 Thomas Fricaccia
2007-10-22 17:12 ` Alan Cox
2007-10-22 17:13 ` Greg KH
2007-10-23 5:14 ` Crispin Cowan
2007-10-23 5:32 ` david
2007-10-23 11:38 ` Simon Arlott
2007-10-23 5:53 ` Giacomo Catenazzi
2007-10-23 7:12 ` Crispin Cowan
2007-10-23 8:17 ` Giacomo A. Catenazzi
2007-10-24 3:41 ` Greg KH
[not found] <167451.96128.qm@web38607.mail.mud.yahoo.com>
2007-10-18 2:18 ` Linus Torvalds
2007-10-19 20:26 ` Andreas Gruenbacher
2007-10-19 20:40 ` Linus Torvalds
2007-10-20 11:05 ` Jan Engelhardt
2007-10-20 22:57 ` James Morris
2007-10-21 22:59 ` Adrian Bunk
2007-10-23 9:13 ` Jan Engelhardt
2007-10-23 5:44 ` Giacomo Catenazzi
2007-10-23 8:55 ` Jan Engelhardt
2007-10-23 9:14 ` Giacomo A. Catenazzi
2007-10-23 9:18 ` Jan Engelhardt
2007-10-23 15:20 ` Serge E. Hallyn
2007-10-23 15:28 ` Jan Engelhardt
2007-10-23 15:34 ` Serge E. Hallyn
2007-10-25 10:23 ` Valdis.Kletnieks
2007-10-19 21:07 ` James Morris
2007-10-18 1:34 Thomas Fricaccia
2007-10-18 2:03 ` Casey Schaufler
2007-10-18 2:21 ` Linus Torvalds
2007-10-18 3:06 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=471CCB77.3040004@crispincowan.com \
--to=crispin@crispincowan.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=thomas_fricacci@yahoo.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox