On 1/8/2013 9:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list b
Casey Schaufler writes:
>> When a distro is run in a container it is desirable to be able to run
>> the distro's security policy in that container. Ideally this will get
>> addressed by being able to do some level of per user namespace stacking.
>> Say selinux outside and apparmor inside a conta
On 1/10/2013 4:46 PM, Eric W. Biederman wrote:
> John Johansen writes:
>
>> On 01/09/2013 05:28 AM, James Morris wrote:
>>> On Tue, 8 Jan 2013, John Johansen wrote:
>>>
> I'd say we need to see the actual use-case for Smack and Apparmor being
> used together, along with at least one major
On 01/10/2013 05:13 PM, Eric W. Biederman wrote:
> John Johansen writes:
>
>>> When a distro is run in a container it is desirable to be able to run
>>> the distro's security policy in that container. Ideally this will get
>>> addressed by being able to do some level of per user namespace stacki
John Johansen writes:
>> When a distro is run in a container it is desirable to be able to run
>> the distro's security policy in that container. Ideally this will get
>> addressed by being able to do some level of per user namespace stacking.
>> Say selinux outside and apparmor inside a contain
On 01/10/2013 04:46 PM, Eric W. Biederman wrote:
> John Johansen writes:
>
>> On 01/09/2013 05:28 AM, James Morris wrote:
>>> On Tue, 8 Jan 2013, John Johansen wrote:
>>>
> I'd say we need to see the actual use-case for Smack and Apparmor being
> used together, along with at least one ma
John Johansen writes:
> On 01/09/2013 05:28 AM, James Morris wrote:
>> On Tue, 8 Jan 2013, John Johansen wrote:
>>
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least one major distro committing to support
this.
>>
John Johansen wrote:
> On 01/09/2013 05:28 AM, James Morris wrote:
> > On Tue, 8 Jan 2013, John Johansen wrote:
> >
> >>> I'd say we need to see the actual use-case for Smack and Apparmor being
> >>> used together, along with at least one major distro committing to support
> >>> this.
> >>>
> >>
On 01/09/2013 05:28 AM, James Morris wrote:
> On Tue, 8 Jan 2013, John Johansen wrote:
>
>>> I'd say we need to see the actual use-case for Smack and Apparmor being
>>> used together, along with at least one major distro committing to support
>>> this.
>>>
>>>
>> Ubuntu is very interested in sta
On 1/9/2013 5:42 AM, James Morris wrote:
> On Tue, 8 Jan 2013, Casey Schaufler wrote:
>
>> What I was hoping to say, and apparently didn't, is that people
>> are developing "total" solutions in user space, when some of the
>> work ought to be done in an LSM. Work that is appropriate to the
>> kerne
On Tue, 8 Jan 2013, Casey Schaufler wrote:
> What I was hoping to say, and apparently didn't, is that people
> are developing "total" solutions in user space, when some of the
> work ought to be done in an LSM. Work that is appropriate to the
> kernel is being done in user space. Often badly, beca
On Tue, 8 Jan 2013, John Johansen wrote:
> > I'd say we need to see the actual use-case for Smack and Apparmor being
> > used together, along with at least one major distro committing to support
> > this.
> >
> >
> Ubuntu is very interested in stacking
Which modules?
--
James Morris
--
To
On 01/08/2013 01:12 AM, James Morris wrote:
> On Mon, 7 Jan 2013, Casey Schaufler wrote:
>
>> There has been an amazing amount of development in system security
>> over the past three years. Almost none of it has been in the kernel.
>> One important reason that it is not getting done in the kernel
On Mon, Jan 7, 2013 at 5:54 PM, Casey Schaufler wrote:
> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
> [...]
> Signed-off-by: Casey Schaufler
Feel free to carry my Acked-by on the Yama bits and the core bits.
Looks great. :)
-Kees
--
Kees Cook
Chrome OS Security
--
To un
On Tue, Jan 8, 2013 at 9:14 AM, Casey Schaufler wrote:
> On 1/8/2013 1:12 AM, James Morris wrote:
>> Yama is special-cased and can stay that way.
>
> Yama is *not* a special case, it is an example. It is the kind
> of new thing that provides security that is not access control.
> It was special ca
On 01/08/2013 09:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to
On 1/8/2013 9:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list b
On 01/07/2013 08:54 PM, Casey Schaufler wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
A level of indirection has
On 1/8/2013 1:12 AM, James Morris wrote:
> On Mon, 7 Jan 2013, Casey Schaufler wrote:
>
>> There has been an amazing amount of development in system security
>> over the past three years. Almost none of it has been in the kernel.
>> One important reason that it is not getting done in the kernel is
On Mon, 7 Jan 2013, Casey Schaufler wrote:
> There has been an amazing amount of development in system security
> over the past three years. Almost none of it has been in the kernel.
> One important reason that it is not getting done in the kernel is
> that the current single LSM restriction requi
On Mon, Jan 07, 2013 at 20:02 -0800, Casey Schaufler wrote:
> On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
> > Let me ask Andrew's question: Why do you want to do this (what is the
> > use case)? What does this gain us?
>
> There has been an amazing amount of development in system security
> ove
On Mon, Jan 07, 2013 at 20:11 -0800, Casey Schaufler wrote:
> On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
> > You probably also want to think a bit harder about the order of the
> > patches - you should introduce new APIs before you use them and remove
> > calls to functions before you remove the
On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
> Hi Casey,
>
> On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell
> wrote:
>> Let me ask Andrew's question: Why do you want to do this (what is the
>> use case)? What does this gain us?
>>
>> Also, you should use unique subjects for each of the patc
On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
> Hi Casey,
>
> On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler
> wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a sing
Hi Casey,
On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell
wrote:
>
> Let me ask Andrew's question: Why do you want to do this (what is the
> use case)? What does this gain us?
>
> Also, you should use unique subjects for each of the patches in the
> series.
You probably also want to think
Hi Casey,
On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler
wrote:
>
> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>
> Change the infrastructure for Linux Security Modules (LSM)s
> from a single vector of hook handlers to a list based method
> for handling m
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
A level of indirection has been introduced in the handling of
security blobs
27 matches
Mail list logo
