Re: [PATCH 0/7 v22] LSM: Multiple concurrent LSMs

From: Casey Schaufler
Date: Thu May 07 2015 - 16:36:52 EST


On 5/7/2015 1:23 PM, Stephen Smalley wrote:
> On 05/07/2015 04:22 PM, Mimi Zohar wrote:
>> On Thu, 2015-05-07 at 14:07 -0400, Paul Moore wrote:
>>> On Thu, May 7, 2015 at 10:47 AM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>>>> On 5/7/2015 4:37 AM, James Morris wrote:
>>>>> On Sat, 2 May 2015, Casey Schaufler wrote:
>>>>>
>>>>>> Subject: [PATCH 0/7 v22] LSM: Multiple concurrent LSMs
>>>>> Please add all of the Acked-by etc. from the patch review process.
>>>> For v21 I had Acks from:
>>>>
>>>> John Johansen <john.johansen@xxxxxxxxxxxxx>
>>>> Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
>>>> Stephen Smalley <sds@xxxxxxxxxxxxx> (after patch 8/7)
>>>> Kees Cook <keescook@xxxxxxxxxxxx>
>>>>
>>>> Would you check out v22 and supply (or not) your Acks?
>>>>
>>>> Eric, Paul, it would be reassuring if you'd chime in as well.
>>> Kubernetes has swallowed Eric whole I'm afraid, I don't think you want
>>> to wait on him to review these patches.
>>>
>>> However, it is a bit ridiculous that I haven't had time to seriously
>>> review these patches yet; I promise to take a look and send my
>>> comments/ACKs before my head hits the pillow tonight.
>> Seems to be working with SELinux, EVM and IMA enabled. I haven't tried
>> enabling an additional LSM. Casey, do you have an additional LSM for
>> testing?
> I've tested SELinux+Yama.

The deepest "stack" you can have today is Capability+Yama+YourChoice.
You always get Capability, so you really only get to choose if you stack
Yama with something else. That's not more depth than you had before, but
the special case coding for Capability and Yama is replaced to the general
scheme.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/