Re: What went wrong with LSM, was: Re: [BK PATCH] LSM changes for 2.5.59

From: James Morris (
Date: Wed Feb 12 2003 - 20:02:31 EST

On Wed, 12 Feb 2003, 'Christoph Hellwig' wrote:

> And here we see _the_ problem with the LSM process. LSM wasn't
> developed as part of the broad kernel community (lkml) but on
> a rather small, almost private list.

Many of the things that you are saying in this discussion are untrue.

The bulk of the development process was carried out for more than two
years on the LSM development mailing list, which is fully public and open
to anyone. It is not "almost private", whatever that is supposed to mean.

Should those thousands of emails have ended up on lkml instead? Before
you answer, try reading the first thousand (which I actually did when
joining the project).

As for "rather small", hundreds of people were involved in discussion
during the initial development phase (Chris Wright generated some stats on
this last year). These people included numerous long time kernel
developers, commercial developers, well known security researchers and
anyone else who was interested enough to join.

There were specific LSM discussions at two kernel summits, while multiple
OLS presentations have been given on LSM. These events were further
covered by numerous online media sites. LSM information was posted
several times to lkml, before and after the initial codebase was
developed. If you didn't notice any of these things before you started
complaining recently, please don't blame the LSM developers.

I do agree that we should have worked more closely with maintainers from
the beginning, but this was not out of trying to be secretive (of which we
have been accused quite a few times). This happened out of believing that
we should reach a design consensus and write some code via the before
bothering any maintainers. This approach was clearly flawed, and efforts
have since been made to rectify this for ongoing development.

(Note that this process occured publicly on the LSM development mailing
list, and that code was checked in as it was developed to publicly
accessible bk repositories).

And I also agree that it would have been better if more people in general
discussed LSM on lkml. For whatever reason, they did not. I can point
you to many instances of LSM posts being made to lkml with zero response.

The first LSM patch sent to lkml was actually applied by Linus with no
discussion from anyone else, _very_ much to our surprise. We definitely
expected significant discussion from lkml subscribers and a highly
probable subsequent phase of rework before it would be accepted into

> People added hooks not because they generally make sense but because
> their module needed it.

SELinux was used as a model for LSM because SELinux is _itself_ a
generalized access control framework (arising from over a decade of
research). SELinux already supported MAC, TE, RBAC, IBAC and MLS, and was
one of the few existing Linux security projects with significant coverage
across the kernel. Thus, it was an ideal basis for use as a model for the
initial design of the LSM hook placement and abstraction strategy. Many
other projects were used as models as well. In fact, I reviewed in detail
_every_ single Linux security project I could find when implementing the
networking hooks.

Claims of a "secret" and non-generalized design process are baseless.

- James

James Morris

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to More majordomo info at Please read the FAQ at

This archive was generated by hypermail 2b29 : Sat Feb 15 2003 - 22:00:45 EST