LSM stacking in next for 6.1?
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Thu Sep 15 14:27:08 UTC 2022
On 2022/09/14 22:56, Paul Moore wrote:
> On Fri, Sep 9, 2022 at 7:33 AM Tetsuo Handa <penguin-kernel at i-love.sakura.ne.jp> wrote:
>> Inclusion into upstream is far from the goal.
>
> For better or worse, there is a long history of the upstream Linux
> Kernel focusing only on in-tree kernel code, I see no reason why we
> should change that now for LSMs.
Because we can't afford accepting/maintaining whatever LSMs that are proposed.
Do you think that we are going to accept/maintain whatever LSMs that are proposed
if we get to the point to "The commitment I made to Paul some years ago now was
that the stacking would eventually include making all combinations possible" ?
I don't think so.
Although the upstream Linux Kernel focuses only on in-tree kernel code,
CONFIG_MODULES=y is not limited for in-tree kernel code. It is used by e.g.
device vendors to deliver their out-of-tree driver code. Then, I see no reason
why we can't do the same for LSMs. We simply don't need to "provide efforts for
fixing bugs in whatever LSMs"; we simply should "allow whatever LSMs to exist".
More information about the Linux-security-module-archive
mailing list