LSM stacking in next for 6.1?
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Fri Sep 16 13:34:14 UTC 2022
On 2022/09/16 0:50, Casey Schaufler wrote:
>> Although the upstream Linux Kernel focuses only on in-tree kernel code,
>> CONFIG_MODULES=y is not limited for in-tree kernel code. It is used by e.g.
>> device vendors to deliver their out-of-tree driver code.
>
> I see this argument all the time. The response is "get your driver upstream".
> Vendors/developers who whine "It's too hard" get no sympathy from me.
>
Getting off-topic from loadable module LSMs, but one of reasons they do not
try to get upstream might be to be able to synchronize across multiple kernel
versions. For example, splx_kernel_module-3.0.1.0024-src.tar.gz is trying to
serve as a common source code for many distributor's kernel versions.
If some snapshot were included in upstream kernel, it becomes difficult to keep
the same bugfixes/features applied across kernel versions the vendor wants to
load into.
Although ./scripts/checkpatch.pl warns about use of LINUX_VERSION_CODE, there are
cases where vendors want to share the same bugfixes/features across all kernel
versions.
More information about the Linux-security-module-archive
mailing list