[PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI)
James Morris
jmorris at namei.org
Wed Jan 8 18:58:29 UTC 2020
On Wed, 8 Jan 2020, Stephen Smalley wrote:
> This appears to impose a very different standard to this eBPF-based LSM than
> has been applied to the existing LSMs, e.g. we are required to preserve
> SELinux policy compatibility all the way back to Linux 2.6.0 such that new
> kernel with old policy does not break userspace. If that standard isn't being
> applied to the eBPF-based LSM, it seems to inhibit its use in major Linux
> distros, since otherwise users will in fact start experiencing breakage on the
> first such incompatible change. Not arguing for or against, just trying to
> make sure I understand correctly...
A different standard would be applied here vs. a standard LSM like
SELinux, which are retrofitted access control systems.
I see KRSI as being more of a debugging / analytical API, rather than an
access control system. You could of course build such a system with KRSI
but it would need to provide a layer of abstraction for general purpose
users.
So yes this would be a special case, as its real value is in being a
special case, i.e. dynamic security telemetry.
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list