LSM stacking in next for 6.1?
Casey Schaufler
casey at schaufler-ca.com
Wed Oct 26 15:30:38 UTC 2022
On 10/26/2022 3:19 AM, Tetsuo Handa wrote:
> On 2022/10/26 7:41, Casey Schaufler wrote:
>> You need a built-in LSM that loads and manages loadable
>> security modules.
> That is no longer loadable LSM modules. A loadable LSM module must be capable of
> loading any code and using any interface that is allowed to loadable kernel modules
> using /sbin/insmod command. That is my understanding of what you have promised (and
> the reason I am allowing you to continue working on LSM stacking before I make
> CONFIG_SECURITY_TOMOYO=m).
Loadable modules, in whatever form they take, will require the stacking
I'm proposing. They will also require the next phase of stacking, which
includes the networking bits that will allow universal stacking. Even if
the current work goes in tomorrow (demented giggles) that's at least a
year off. Then, and only then, will someone be able to tackle an
implementation of loadable modules. I will not be available for that job.
I have done everything I can to ensure that the stacking work won't
prevent it from being done. I have proposed how it might be done. But
I don't have 10 more years to spend on it, and it's not me that will
reject it in the end. I won't beat that dead horse's head against that
brick wall.
More information about the Linux-security-module-archive
mailing list