Re: [BK PATCH] LSM changes for 2.5.59

From: Crispin Cowan (
Date: Wed Feb 12 2003 - 17:22:34 EST

'Christoph Hellwig' wrote:

>[argg, any chance you two could get RFC-complaint mailers?]
>On Wed, Feb 12, 2003 at 07:11:09PM +0000, magniett wrote:
>>exist. For finishing : PLEASE, stop reducing LSM possibilities : it cost a lot to develop things for a hook and then
>>redevelopping it for a classical syscall interposition.
>There's no one taking away the LSM patches. Anyway life would be a lot
>simpler if you actually announced the stuff you do on lkml instead of hiding
>behind the moon. The only chance hook you need will stay is that you
>discuss them publically here.
For the second time in a week, I agree with HCH: If you are developing
an LSM module, then by all means please make it publicly known. Whether
we host your source or not, we want to at least link to your site from

WRT "taking away LSM patches": HCH wants to remove hooks that "no one
uses" and also complains about LSM being a big ugly undesigned hack
lacking abstraction. LSM does have an abstract design: it mediates
access to major internal kernel objects (processes, inodes, etc.) by
user-space processes, throwing access requests out to the LSM module. If
you remove some of these hooks because they don't have a *present*
module using them, then you break the abstraction.

People tell me that preserving functionality for the sake of abstraction
is "not the Linux way". Ok, sure, but you degrade the quality of
abstraction if you aggressively prune the interface.

But it would be much better to short-circuit that debate, and have
extant modules that use the hooks than to try to defend them on the
basis of abstraction. So if your sekrit module uses a hook, post here,
or your hook may go away.


Crispin Cowan, Ph.D.
Chief Scientist, WireX            
Security Hardened Linux Distribution:
Available for purchase:
			    Just say ".Nyet"

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to More majordomo info at Please read the FAQ at

This archive was generated by hypermail 2b29 : Sat Feb 15 2003 - 22:00:45 EST