[PATCH] tomoyo: Add a kernel config option for fuzzing testing.
jmorris at namei.org
Wed Mar 13 20:00:13 UTC 2019
On Tue, 12 Mar 2019, Edwin Zimmerman wrote:
> On March 12, 2019 5:15, Tetsuo Handa <penguin-kernel at i-love.sakura.ne.jp> wrote
> > >> Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
> > >> utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.
> > >
> > > What do you mean cannot afford ?
> > >
> > Some people have to set SELINUX=disabled in /etc/selinux/config or pass security=none from
> > the kernel command line.
> If you specifically don't want in-kernel LSMs, and you specifically do want an out-of-tree LSM,
> there are other options. For example, you could just livepatch the security_* hooks you need,
> since you already would using an LKM-based LSM. That would give you your
> out-of-tree module and would also disable selinux on the hooks that got livepatched.
Ahh, ok, this is about out of tree LSMs.
This has been discussed many times over the years and the answer is always
the same: we will not add infrastructure to the kernel to support out of
tree code. This is a long-standing tenet of the Linux kernel.
<jmorris at namei.org>
More information about the Linux-security-module-archive