On 9/6/22 17:39, Casey Schaufler wrote:
On 9/6/2022 5:10 PM, John Johansen wrote:
sorry I am wayyyy behind on this, so starting from here
On 9/6/22 16:24, Paul Moore wrote:
I can't currently in good conscience defend the kernel/userspace
combined label interfaces as "good", especially when we have a very
rare opportunity to do better.
so I am going to grab and hold onto
Further, I think we can add the new syscall API separately from the
LSM stacking changes as they do have standalone value.
what I think Paul is saying is we can move the LSM stacking patches
forward by removing the combined label interface.
Do you mean /proc/self/attr/interface_lsm? /proc/.../attr/context?
/proc/.../attr/context is the combined label interface.
/proc/self/attr/interface_lsm is an interesting question. Its not
a combined label interface, instead it is a new interface that allows
controlling of which LSM the task get to see on the old
/proc/.../attr/* interface.
Loosing it would hurt (its a useful tool and is currently necessary
for the SElinux host + AppArmor in container use case) but I think
if that is cost to move forward dropping it at least for now would
be worth it.
They won't be as
useful but it would be a huge step forward, and the next step could
be the syscall API.
