On Mon, Mar 20, 2017 at 12:30 PM, Paul Moore [off-list ref] wrote:

On Mon, Mar 20, 2017 at 2:54 PM, Peter Moody [off-list ref] wrote:

quoted

with the success of stackable lsm's, it occurs to me that
site-specific, out-of-tree modules could be extremely worthwhile.

Keep in mind we don't have a general purpose solution ... yet.  Casey
continues to work on it, and I'm sure he'll have something at some
point, but right now you are limited to a single "big" LSMs (e.g.
SELinux) and some combination of "small" LSMs (e.g. Yama).

right. sorry for the imprecise language; by site-specific I meant a "small" lsm.

I would love to have the ability write a small lsm that I can build as
a module and load at boot eg. via initrd.

AIUI, adding even a new "small" lsm requires kconfig patches, building
a new kernel, etc. I know there are objections to dynamically loadable
lsms and I was trying to find a compromise that made them easier to
work with.

Cheers,
peter

quoted

I realize that it doesn't make a lot of sense to have something that I
can insmod/rmmod well post-boot, but being able to at least stuff an
lsm in an initrd that's loaded during boot could be very helpful.

Without having any code to pick apart just now, is the idea of this
functionality amenable to folks?

I think the usual comments about out-of-tree modules apply here;
you're free to do what you like, but upstream is only going to offer
limited help/support if/until the code starts its way upstream.

--
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html