Linux-Security-Module Archive on
 help / color / Atom feed
From: (Casey Schaufler)
Subject: out of tree lsm's
Date: Tue, 21 Mar 2017 09:21:56 -0700
Message-ID: <> (raw)
In-Reply-To: <>

On 3/21/2017 9:06 AM, Peter Moody wrote:
> On Tue, Mar 21, 2017 at 8:36 AM, Casey Schaufler <> wrote:
>> On 3/21/2017 3:41 AM, Tetsuo Handa wrote:
>>> Tetsuo Handa wrote:
>>>> Casey Schaufler wrote:
>>>>>> right. sorry for the imprecise language; by site-specific I meant a "small" lsm.
>>>>>> I would love to have the ability write a small lsm that I can build as
>>>>>> a module and load at boot eg. via initrd.
>>>>>> AIUI, adding even a new "small" lsm requires kconfig patches, building
>>>>>> a new kernel, etc. I know there are objections to dynamically loadable
>>>>>> lsms and I was trying to find a compromise that made them easier to
>>>>>> work with.
>>>>> The stacking design criteria I'm working with
>>>>> include not doing anything that would prevent
>>>>> dynamic module loading. I do not plan to implement
>>>>> dynamic loading. Tetsuo has been a strong
>>>>> advocate of loadable modules. I would expect to
>>>>> see a proposal from him shortly after the
>>>>> general stacking lands, assuming it does.
>>>> But currently __lsm_ro_after_init which is planned to go to 4.12 is preventing
>>>> dynamic modules from loading. We need a legitimate interface for loadable modules like
>>>> at .
>>>> Requiring rodata=0 kernel command line option to allow dynamic modules is silly.
>>> I think we need something like below change when allowing loadable modules.
>> I believe that a simpler approach would be to
>> add a separate list of dynamic hooks to supliment
>> the list of static hooks. If SELinux unloading is
>> desired the SELinux hooks would be put on the
>> dynamic list which would not be "hardened" with
>> _ro_after_init, where the rest of the static modules
>> would be.
> FWIW, I don't know if that would solve the case I was initially asking
> about since the out-of-tree lsm I was hoping to be able to access all
> of the standard security hooks with an out-of-tree module.

It would work fine. All I'm suggesting is that in addition
to security_hook_heads there would be a
security_hooks_heads_dynamic. The code in security.c would
be stretched to loop through both lists. Any locking or
other complexity associated with being dynamic would be
limited to the dynamic list.

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at
More majordomo info at

  reply index

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-20 18:54 Peter Moody
2017-03-20 19:30 ` Paul Moore
2017-03-20 19:45   ` Peter Moody
2017-03-20 20:17     ` Casey Schaufler
2017-03-20 22:18       ` Tetsuo Handa
2017-03-21 10:41         ` Tetsuo Handa
2017-03-21 15:36           ` Casey Schaufler
2017-03-21 16:06             ` Peter Moody
2017-03-21 16:21               ` Casey Schaufler [this message]
2017-03-21 21:53                 ` Tetsuo Handa
2017-03-21 22:10                   ` Casey Schaufler
2017-03-22 12:13                     ` Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on

Archives are clonable:
	git clone --mirror linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ \
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone