[PATCH security-next v5 00/30] LSM: Explict ordering

Casey Schaufler casey at schaufler-ca.com
Tue Oct 23 19:05:14 UTC 2018


On 10/23/2018 11:50 AM, Kees Cook wrote:
> On Tue, Oct 23, 2018 at 9:48 AM, Casey Schaufler <casey at schaufler-ca.com> wrote:
>> On 10/12/2018 12:01 PM, Kees Cook wrote:
>>> On Friday, October 12, 2018 3:19 AM, John Johansen
>>> <john.johansen at canonical.com> wrote:
>>>> It isn't perfect but it manages consistency across distros as best as
>>>> can be achieved atm.
>>> Yeah, this is why I'm okay with the current series: it provides as
>>> consistent a view as possible, but leaves room for future improvements
>>> (like adding "+" or "!" or "all" or whatever).
>>>
>>> I'm curious to see what SELinux folks think of v5, though. I *think* I
>>> addressed all the concerns there, even Paul's "I want my distro
>>> default to not have extreme stacking" case too.
>>>
>>> -Kees
>> Looks like I should go on vacation more often. :)
>>
>> I am generally opposed to fancy specification languages.
>> I support the explicit lsm= list specification because you
>> don't have to know any context to create a boot line that
>> will work, and be as close to what you've specified as possible
>> for the kernel configuration. One need look no further than
>> the mechanisms for setting POSIX ACLs for an example of
>> how to ensure a feature isn't used.
>>
>> Had we the foresight to make security= take a list of
>> modules when Yama was added we might have avoided some of
>> this brouhaha, but there was no reason to expect that stacking
>> was ever going to happen back then.
> This sounds like an "Ack" for you? :) I'll harass everyone in person
> in a couple days.

Acked-by: Casey Schaufler <casey at schaufler-ca.com>

> Did you poke around at my combined series?
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=lsm/ordering-v6-blob-sharing

I hope to do that on the plane later today.

> -Kees



More information about the Linux-security-module-archive mailing list