On Sunday 16 May 2010 03:35:09 Steve Langasek wrote: > Given the difference in how kernels vs. init daemons are usually > administered as part of a system, I think the runtime impact of supporting > multiple LSMs in init is much more significant than supporting multiple > LSMs in the kernel. I don't think we want init to have shared lib deps > for each of the available LSMs.
In the early days of LSM development there was the idea that LSM modules could be kernel modules, this idea was given up early on. The idea that modules could be "stacked" so that you could have multiple modules active at the same time (EG OpenWall /tmp protection as well as SE Linux) but that ended up not working well technically, so for ages it was only the Capability module that supported stacking. A quick check of the dmesg on a testing system indicates that capability is not regarded as a separate module any more (or at least it's not in the dmesg). The patch to the SysVInit for SE Linux is very small, it wouldn't be difficult to have support for a dozen such LSM modules with case statements. Not that it would happen, the only LSM modules that are publicly available are SE Linux, Smack, AppArmor, and Tomoyo and I think that SE Linux is the only one that needs an init patch. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201005211053.37318.russ...@coker.com.au
