On Thu, Jun 17, 2010 at 11:18:59PM +0100, Alan Cox wrote: > > And for them, it certainly seems like a good idea to be able to turn off > > PTRACE without having to fiddle with an LSM. > > But that *is* an LSM, its a security policy. > > You don't seem to get it - even the default kernel security is a > security policy (security/commoncap.c etc) I do get it. I also get that every LSM calls out to commoncap, making it effectively stacked with the primary LSM -- the only LSM that gets stacked. In fact, this is how I even started implementing these features: as patches to commoncap, but James preferred it to be in core since they are of general utility. But core people want the changes in security/ instead. I don't mind putting them in commoncap at all. I would just like people to agree on what they disagree about. :) -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html