On 10/23/2018 11:50 AM, Kees Cook wrote:

On Tue, Oct 23, 2018 at 9:48 AM, Casey Schaufler [off-list ref] wrote:

quoted

On 10/12/2018 12:01 PM, Kees Cook wrote:

quoted

On Friday, October 12, 2018 3:19 AM, John Johansen
[off-list ref] wrote:

quoted

It isn't perfect but it manages consistency across distros as best as
can be achieved atm.

Yeah, this is why I'm okay with the current series: it provides as
consistent a view as possible, but leaves room for future improvements
(like adding "+" or "!" or "all" or whatever).

I'm curious to see what SELinux folks think of v5, though. I *think* I
addressed all the concerns there, even Paul's "I want my distro
default to not have extreme stacking" case too.

-Kees

Looks like I should go on vacation more often. :)

I am generally opposed to fancy specification languages.
I support the explicit lsm= list specification because you
don't have to know any context to create a boot line that
will work, and be as close to what you've specified as possible
for the kernel configuration. One need look no further than
the mechanisms for setting POSIX ACLs for an example of
how to ensure a feature isn't used.

Had we the foresight to make security= take a list of
modules when Yama was added we might have avoided some of
this brouhaha, but there was no reason to expect that stacking
was ever going to happen back then.

This sounds like an "Ack" for you? :) I'll harass everyone in person
in a couple days.

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

Did you poke around at my combined series?
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=lsm/ordering-v6-blob-sharing

I hope to do that on the plane later today.

-Kees