El mar, 29-08-2006 a las 17:31, John Ogness escribió:
I've noticed some traffic lately in linux-security-modules mailing list, with patches for a new module been submitted. Anyway, it is clear that LSM has important problems.Eneko Lacunza wrote: > Have you ever tried to submit Dazuko to upstream Linux kernel tree? No, but I have talked to many "important" kernel developers about it. The current version of Dazuko would never be accepted into the mainline because: 1. LSM is on its way out of the kernel. It is a flawed and ugly interface that should never have been created. For this reason, they do not want to accept any new additional LSM modules in the mainline.
[...]
Do you have any date estimates for a preview?The correct solution for intercepting events is using a stackable filesystem. This is exactly what DazukoFS is. Although DazukoFS has been working in a test environment for over a year, I have not had the time to polish it up for an official preview release. Once DazukoFS is available (3.0.x), we may have a chance of getting into the mainline kernel.
I think we'll know about this when you submit the module to a linux development tree :)But there are several other parts of Dazuko that may need to be significantly rewritten to better match the style of UNIX development. Here I am talking specifically about the communication protocol between user applications and the kernel. This is currently being done by passing user buffers into the kernel for communicating. Although this works well (and is quite effecient), it is very non-UNIX-like and may also come under fire.
The problem with those packages is that usually they're not updated when there is a kernel module ABI change. And even if they are, usually the user has to install the package with the new ABI manually. Or other times it is a source containing package (debian) so the user has to recompile the module.> Instead, have you tried to talk to Linux distribution packagers, so that > they include dazuko as part of the kernel package? I have very close contact with Novell/SUSE. Until recently, they have always shipped with a Dazuko module. However, their new AppArmor application comes in conflict with Dazuko, which is why we needed to start using syscall hooking instead of LSM. But I am not sure if they will allow Dazuko back with syscall hooking. We have had contact with RedHat several times, but the response is usually quite negative. RedHat has many kernel developers, so the syscall hooking is not ok for them. Gentoo, Debian, and Ubuntu already have packages for Dazuko (though not all up-to-date).
Have you noticed that Ubuntu 6.06 kernel ships with dazuko 2.2.0 starting with kernel package 2.6.15-26.46? :-)
Maybe we can talk to other distros for the same approach; RedHat and Novell will be difficult, but maybe others will be more pragmatic. This solves lots of problems both to the users and developers.
> I think this is a common problem for many of us, so maybe we can try to > work together to improve our users' experience. I agree. My main goal is getting DazukoFS ready. This is a technical point that is quite important for acceptance of Dazuko. Once DazukoFS is ready, distributions will not have much of an argument why they shouldn't accept it. Although the functionality won't change with DazukoFS, the technical concept is quite different, which is important for kernel and distribution maintainers.
I agree. This should make dazuko to be in the Linus kernel tree sooner or later, and after that all kernel module ABI change related problems will be gone :)
Thanks.
Regards,
-- Eneko Lacunza I+D Dpt. Panda Software - Bilbao (Spain) - http://www.pandasoftware.es |
_______________________________________________ Dazuko-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/dazuko-devel
