[RFC PATCH v2 0/4] LSM: Officially support appending LSM hooks after boot.
Paul Moore
paul at paul-moore.com
Mon Nov 20 22:52:44 UTC 2023
On Mon, Nov 20, 2023 at 8:28 AM Tetsuo Handa
<penguin-kernel at i-love.sakura.ne.jp> wrote:
>
> This functionality will be used by TOMOYO security module.
>
> In order to officially use an LSM module, that LSM module has to be
> built into vmlinux. This limitation has been a big barrier for allowing
> distribution kernel users to use LSM modules which the organization who
> builds that distribution kernel cannot afford supporting [1]. Therefore,
> I've been asking for ability to append LSM hooks from LKM-based LSMs so
> that distribution kernel users can use LSMs which the organization who
> builds that distribution kernel cannot afford supporting.
It doesn't really matter for this discussion, but based on my days
working for a Linux distro company I would be very surprised if a
commercial distro would support a system running unapproved
third-party kernel modules.
We've talked a lot about this core problem and I maintain that it is
still a disto problem and not something I'm really concerned about
upstream.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list