[PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI)
James Morris
jmorris at namei.org
Wed Jan 8 18:27:16 UTC 2020
On Mon, 30 Dec 2019, Kees Cook wrote:
>
> Given the discussion around tracing and stable ABI at the last kernel
> summit, Linus's mandate is mainly around "every day users" and not
> around these system-builder-sensitive cases where everyone has a strong
> expectation to rebuild their policy when the kernel changes. i.e. it's
> not "powertop", which was Linus's example of "and then everyone running
> Fedora breaks".
>
> So, while I know we've tried in the past to follow the letter of the
> law, it seems Linus really expects this only to be followed when it will
> have "real world" impact on unsuspecting end users.
>
> Obviously James Morris has the final say here, but as I understand it,
> it is fine to expose these here for the same reasons it's fine to expose
> the (ever changing) tracepoints and BPF hooks.
Agreed. This API should be seen in the same light as tracing / debugging,
and it should not be exposed by users directly to general purpose
applications.
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list