On Tuesday, April 23, 2013 09:04:06 AM Casey Schaufler wrote: > Subject: [PATCH v13 0/9] LSM: Multiple concurrent LSMs > > Change the infrastructure for Linux Security Modules (LSM)s from a > single vector of hook handlers to a list based method for handling > multiple concurrent modules. > > The "security=" boot option takes a comma separated list of LSMs, > registering them in the order presented. The LSM hooks will be > executed in the order registered. Hooks that return errors are > not short circuited. All hooks are called even if one of the LSM > hooks fails. The result returned will be that of the last LSM > hook that failed.
... > The NetLabel, XFRM and secmark facilities are restricted to use > by one LSM at a time. This is due to limitations of the underlying > networking mechanisms. The good news is that viable configurations > can be created. The bad news is that the complexity of configuring > a system is necessarily increased. I know we had a good discussion about this a while back and I just wanted to hear from you about this current patchset; how does the labeled networking LSM assignment work? Is it first-come-first-served based on the 'security=' setting? -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
