[PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks

Linus Torvalds torvalds at linux-foundation.org
Sat Jun 5 18:17:02 UTC 2021


On Sat, Jun 5, 2021 at 11:11 AM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> You have fallen into a common fallacy. The fact that the "code runs"
> does not assure that the "system works right". In the security world
> we face this all the time, often with performance expectations. In this
> case the BPF design has failed [..]

I think it's the lockdown patches that have failed. They did the wrong
thing, they didn't work,

The report in question is for a regression.

THERE ARE NO VALID ARGUMENTS FOR REGRESSIONS.

Honestly, security people need to understand that "not working" is not
a success case of security. It's a failure case.

Yes, "not working" may be secure. But security in that case is *pointless*.

              Linus



More information about the Linux-security-module-archive mailing list