On Tue, Oct 23, 2018 at 9:48 AM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > On 10/12/2018 12:01 PM, Kees Cook wrote: >> On Friday, October 12, 2018 3:19 AM, John Johansen >> <john.johansen@xxxxxxxxxxxxx> wrote: >>> It isn't perfect but it manages consistency across distros as best as >>> can be achieved atm. >> Yeah, this is why I'm okay with the current series: it provides as >> consistent a view as possible, but leaves room for future improvements >> (like adding "+" or "!" or "all" or whatever). >> >> I'm curious to see what SELinux folks think of v5, though. I *think* I >> addressed all the concerns there, even Paul's "I want my distro >> default to not have extreme stacking" case too. >> >> -Kees > > Looks like I should go on vacation more often. :) > > I am generally opposed to fancy specification languages. > I support the explicit lsm= list specification because you > don't have to know any context to create a boot line that > will work, and be as close to what you've specified as possible > for the kernel configuration. One need look no further than > the mechanisms for setting POSIX ACLs for an example of > how to ensure a feature isn't used. > > Had we the foresight to make security= take a list of > modules when Yama was added we might have avoided some of > this brouhaha, but there was no reason to expect that stacking > was ever going to happen back then. This sounds like an "Ack" for you? :) I'll harass everyone in person in a couple days. Did you poke around at my combined series? https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=lsm/ordering-v6-blob-sharing -Kees -- Kees Cook Pixel Security
