From: James Morris <jmorris@namei.org>
To: Edwin Zimmerman <edwin@211mainstreet.net>
Cc: "'Tetsuo Handa'" <penguin-kernel@i-love.sakura.ne.jp>,
"'Stephen Smalley'" <sds@tycho.nsa.gov>,
linux-security-module@vger.kernel.org
Subject: RE: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
Date: Thu, 14 Mar 2019 07:00:13 +1100 (AEDT) [thread overview]
Message-ID: <alpine.LRH.2.21.1903140657440.22528@namei.org> (raw)
In-Reply-To: <000001d4d91e$68837940$398a6bc0$@211mainstreet.net>
On Tue, 12 Mar 2019, Edwin Zimmerman wrote:
> On March 12, 2019 5:15, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote
> > >> Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
> > >> utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.
> > >
> > > What do you mean cannot afford ?
> > >
> >
> > Some people have to set SELINUX=disabled in /etc/selinux/config or pass security=none from
> > the kernel command line.
>
> If you specifically don't want in-kernel LSMs, and you specifically do want an out-of-tree LSM,
> there are other options. For example, you could just livepatch the security_* hooks you need,
> since you already would using an LKM-based LSM. That would give you your
> out-of-tree module and would also disable selinux on the hooks that got livepatched.
>
Ahh, ok, this is about out of tree LSMs.
This has been discussed many times over the years and the answer is always
the same: we will not add infrastructure to the kernel to support out of
tree code. This is a long-standing tenet of the Linux kernel.
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2019-03-13 20:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-28 14:06 [PATCH] tomoyo: Add a kernel config option for fuzzing testing Tetsuo Handa
2019-03-04 13:35 ` Tetsuo Handa
2019-03-04 14:34 ` Stephen Smalley
2019-03-04 23:59 ` Tetsuo Handa
2019-03-05 3:32 ` James Morris
2019-03-11 13:18 ` Tetsuo Handa
2019-03-12 17:19 ` James Morris
2019-03-12 21:15 ` Tetsuo Handa
2019-03-12 21:19 ` James Morris
2019-03-12 21:56 ` Edwin Zimmerman
2019-03-13 20:00 ` James Morris [this message]
2019-03-12 18:21 ` James Morris
2019-03-12 20:56 ` Tetsuo Handa
2019-03-12 21:24 ` James Morris
2019-03-13 10:29 ` Tetsuo Handa
2019-03-13 13:17 ` Paul Moore
2019-03-25 21:09 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.21.1903140657440.22528@namei.org \
--to=jmorris@namei.org \
--cc=edwin@211mainstreet.net \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.