Re: [arch-dev-public] Trimming down our default kernel configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Am 27.03.2014 15:24, schrieb Simon Brand:
> Am 27.03.2014 13:46, schrieb Thomas Bächler:
>> Do you even know what that means? If I see this right, every time
>> the kernel needs to do some permission check, it needs to ask "are
>> we using LSM xyz?". In any case, it's more code and thus more room
>> for failure.
> 
> Not necessarily, i do not know the code of all the policy enforcement
> points, but if you have a function pointer to the policy decision
> function, you only have to query this function. So if you enable
> SELinux, you let the pointer point to the SELinux function.

Do you know that Linux operates this way? If so, at least we don't have
to assume that performance suffers. This again begs the question, why do
the LSMs need to be built-in? Why can't they be modular?

I don't expect you to answer these questions, they are just things that
I consider.

Perhaps let me rephrase my rationale: If we include support for an LSM
in Linux, it should be because we support it in our user-space, too. I
don't see SELinux being supported by default in Arch anytime soon. _If_
at some point we make a decision to support it (optional or by default),
we can enable it in the kernel.

The whole idea of trimming down the kernel is to stop enabling things
because some users _may_ _possibly_ want to use them.

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux