An opinion about Linux security

Fri Dec 12 17:22:11 UTC 2025

> While Timur was
> added to the conversation by someone, I don't see any mail from him in
> that thread.

I probably missed this thread.

> Beyond that, I'm a bit lost.  As far as I can remember, and both lore
> and my own sent mail folder appear to support this, I've never
> commented on ESF.  At this point I think Timur may be mistaken
> regarding my commenting on ESF, but if I am wrong please provide a
> lore link so I can refresh my memory.

Sorry for misleading you. My mistake, I should have checked the thread
first instead of relying on my memory.

> In this post Timur provides links to his ESF project on GitHub, but no
> patches.

Am I correct in understanding that any proposals and questions I'd
like to discuss with the maintainers and the community should start
with patches? Even if the goal isn't to implement a change right away,
but merely to evaluate the idea.

When I proposed the prototype, it seemed excessive to me to prepare
patches for something that could be "finished" at the idea stage.

On Fri, Dec 12, 2025 at 8:06 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Fri, Dec 12, 2025 at 11:12 AM Stephen Smalley
> <stephen.smalley.work at gmail.com> wrote:
> > On Fri, Dec 12, 2025 at 9:47 AM Timur Chernykh <tim.cherry.co at gmail.com> wrote:
> > >
> > > I’m lucky enough to have already built a working prototype, which I
> > > once offered for review:
> > >
> > > https://github.com/Linux-Endpoint-Security-Framework/linux/tree/esf/main/security/esf
> > > https://github.com/Linux-Endpoint-Security-Framework/linux/tree/esf/main/include/uapi/linux/esf
> > >
> > > Less lucky was the reaction I received. Paul Moore was strongly
> > > opposed, as far as I remember. Dr. Greg once said that heat death of
> > > the universe is more likely than this approach being accepted into the
> > > kernel.
> >
> > Not seeing an actual response from Paul in the archives, but did you
> > ever actually post patches to the list?
>
> I was wondering about this too.  I searched through my sent mail and
> while it's possible I'm missing some mail, the only conversation I see
> with Timur is an off-list discussion from 2024 regarding changes in
> the upstream kernel to support out-of-tree LSMs.  While Timur was
> added to the conversation by someone, I don't see any mail from him in
> that thread.  My comments in that thread are consistent with my
> comments in on-list threads from around that same time when
> out-of-tree code was discussed.  Here is a snippet from one of my
> responses, which still holds true as far as I'm concerned:
>
>  "As stated many times in the past, the LSM framework as
>   well as the Linux kernel in general, does not provide the
>   same level of consideration to out-of-tree code that it does
>   to upstream, mainline code.  My policy on this remains the
>   same as last time we talked: while I have no goal to make
>   things difficult for out-of-tree code, I will not sacrifice
>   the continued development and maintenance of existing
>   upstream code in favor of out-of-tree code."
>
> Searching for "Timur Chernykh" in all of the lore archives shows some
> BPF related threads and the following LSM thread from June 2024:
>
> https://lore.kernel.org/all/CABZOZnS13-KscVQY0YqqWZsBwmQaKyRO_G=kzCL8zc9jHxAC=A@mail.gmail.com
>
> In this post Timur provides links to his ESF project on GitHub, but no
> patches.  I see comments from Stephen, Tetsuo, Casey, and Dr. Greg; I
> did not comment on that thread.
>
> Beyond that, I'm a bit lost.  As far as I can remember, and both lore
> and my own sent mail folder appear to support this, I've never
> commented on ESF.  At this point I think Timur may be mistaken
> regarding my commenting on ESF, but if I am wrong please provide a
> lore link so I can refresh my memory.
>
> --
> paul-moore.com