James Morris wrote:
Convert LSM into a static interface, as the ability to unload a security
module is not required by in-tree users
I'm so confused.
How do you define in-tree users?
Currently, who are in-tree users of LSM?
How many are they?
Are their needs most important? If yes, why?
How did you get the idea that "in-tree" users do not need to unload
security modules?
If LSM interface is static(people cannot load/unload modules
dynamically, people cannot use their custom modules with the framework
since *register_security things are commented out), then why do we need
it? Why not just merge the in-tree modules into the kernel code (for
less performance overhead)?
What is LSM framework meant for? For capability? For SELinux? Or for
linux users all over the world to develop and deploy their custom
modules? What on earth is LSM framework meant for?
People need a camera to make their own home videos, but they don't need
to integrate their home videos into the design of the camera because
other people don't need it. People need to run their custom security
modules on the LSM framework(without modifying kernel code), but it is
not necessary for them to make their modules in-tree because the modules
are highly customized and only suits for special needs. There are few
in-tree security modules because it is very hard to unify people's
security needs, and this does not give any justification for removing
LSM framework or making it static.
I don't see any _need_ to make capability a bool option. I don't see
any _justification_ to make the interface static.
Hao
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
