![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Crispin Cowan <crispin@wirex.com>
To: Linux Security Module <linux-security-module@wirex.com>
Subject: Authoritative Hooks
Date: Mon, 05 Nov 2001 11:13:33 -0800
I'm afraid that the authoritative hooks patch is not going to be accepted
into LSM prior to its initial submission to the kernel developers. After
careful consideration, none of the LSM committers are comfortable with
accepting this patch at this time.
As has been noted previously, the authoritative hooks patch raises at least
the following concerns:
1. It is more invasive.
2. It increases the likelihood that modules can accidentally
undermine the base logic.
3. It increases the likelihood that the LSM patch will introduce an
error into the base kernel.
It is our belief that these changes do not belong in the initial version of
LSM (especially given our limited charter and original goals), and should
be proposed as incremental refinements after LSM has been initially
accepted. These changes pose a risk to the initial acceptance of LSM, which
could jeopardize the existing open source security modules that have no
need of these changes.
The arguments here are similar to those against moving all of the kernel
access control logic from the base kernel into the security modules in the
initial LSM. While this may be a worthy long term goal, it is not a
practical first step for LSM, and after careful consideration, it seems
that neither are authoritative hooks. We must walk before we can run.
We appreciate SGI's participation in LSM and hope that they will continue
to participate despite this setback. It is our belief that the current LSM
will provide a meaningful improvement in the security infrastructure of the
Linux kernel, and that there is plenty of room for future expansion of LSM
in subsequent phases. We look forward to continuing to work with SGI as
long as they are willing to do so.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
_______________________________________________
linux-security-module mailing list
linux-security-module@wirex.com
http://mail.wirex.com/mailman/listinfo/linux-security-module