[ I have CC'd my answer to the dazuko-devel mailing list because of the (possibly) interesting content. ]
Hi Eneko, Here are some answers to your questions/comments. Eneko Lacunza wrote: > Have you ever tried to submit Dazuko to upstream Linux kernel tree? No, but I have talked to many "important" kernel developers about it. The current version of Dazuko would never be accepted into the mainline because: 1. LSM is on its way out of the kernel. It is a flawed and ugly interface that should never have been created. For this reason, they do not want to accept any new additional LSM modules in the mainline. 2. Dazuko (2.3.x) can use syscall hooking instead of LSM. But this is a dirty hack that more resembles a rootkit than a security solution. This method of event interception is heavily frowned upon. The correct solution for intercepting events is using a stackable filesystem. This is exactly what DazukoFS is. Although DazukoFS has been working in a test environment for over a year, I have not had the time to polish it up for an official preview release. Once DazukoFS is available (3.0.x), we may have a chance of getting into the mainline kernel. But there are several other parts of Dazuko that may need to be significantly rewritten to better match the style of UNIX development. Here I am talking specifically about the communication protocol between user applications and the kernel. This is currently being done by passing user buffers into the kernel for communicating. Although this works well (and is quite effecient), it is very non-UNIX-like and may also come under fire. > Instead, have you tried to talk to Linux distribution packagers, so that > they include dazuko as part of the kernel package? I have very close contact with Novell/SUSE. Until recently, they have always shipped with a Dazuko module. However, their new AppArmor application comes in conflict with Dazuko, which is why we needed to start using syscall hooking instead of LSM. But I am not sure if they will allow Dazuko back with syscall hooking. We have had contact with RedHat several times, but the response is usually quite negative. RedHat has many kernel developers, so the syscall hooking is not ok for them. Gentoo, Debian, and Ubuntu already have packages for Dazuko (though not all up-to-date). > I think this is a common problem for many of us, so maybe we can try to > work together to improve our users' experience. I agree. My main goal is getting DazukoFS ready. This is a technical point that is quite important for acceptance of Dazuko. Once DazukoFS is ready, distributions will not have much of an argument why they shouldn't accept it. Although the functionality won't change with DazukoFS, the technical concept is quite different, which is important for kernel and distribution maintainers. John Ogness -- Dazuko Maintainer _______________________________________________ Dazuko-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/dazuko-devel
