Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs

From: Kees Cook
Date: Tue Jan 08 2013 - 15:19:19 EST

Next message: Kees Cook: "Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs"
Previous message: Sean Paul: "Re: [PATCH] ARM: dts: exynos5250: Set HDMI version to v1.4"
In reply to: Casey Schaufler: "Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs"
Next in thread: James Morris: "Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 8, 2013 at 9:14 AM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> On 1/8/2013 1:12 AM, James Morris wrote:
>> Yama is special-cased and can stay that way.
>
> Yama is *not* a special case, it is an example. It is the kind
> of new thing that provides security that is not access control.
> It was special cased at the request of distros because there was
> no general mechanism for including it along with the primary
> LSM.

I think he meant "there is a CONFIG to special-case Yama", but yes,
Yama is a good example. Now that finit_module has landed, I intend to
send another micro-LSM to provide logic for blocking modules when the
root devices is read-only.

It would be another example of an LSM that needs to be stacked with others.

-Kees

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kees Cook: "Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs"
Previous message: Sean Paul: "Re: [PATCH] ARM: dts: exynos5250: Set HDMI version to v1.4"
In reply to: Casey Schaufler: "Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs"
Next in thread: James Morris: "Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]