[PATCH] tomoyo: Add a kernel config option for fuzzing testing.
James Morris
jmorris at namei.org
Wed Mar 13 20:00:13 UTC 2019
On Tue, 12 Mar 2019, Edwin Zimmerman wrote:
> On March 12, 2019 5:15, Tetsuo Handa <penguin-kernel at i-love.sakura.ne.jp> wrote
> > >> Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
> > >> utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.
> > >
> > > What do you mean cannot afford ?
> > >
> >
> > Some people have to set SELINUX=disabled in /etc/selinux/config or pass security=none from
> > the kernel command line.
>
> If you specifically don't want in-kernel LSMs, and you specifically do want an out-of-tree LSM,
> there are other options. For example, you could just livepatch the security_* hooks you need,
> since you already would using an LKM-based LSM. That would give you your
> out-of-tree module and would also disable selinux on the hooks that got livepatched.
>
Ahh, ok, this is about out of tree LSMs.
This has been discussed many times over the years and the answer is always
the same: we will not add infrastructure to the kernel to support out of
tree code. This is a long-standing tenet of the Linux kernel.
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list