On 1/8/2013 9:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list b
On 1/8/2013 9:47 AM, Stephen Smalley wrote:
On 01/07/2013 08:54 PM, Casey Schaufler wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple
Casey Schaufler writes:
>> When a distro is run in a container it is desirable to be able to run
>> the distro's security policy in that container. Ideally this will get
>> addressed by being able to do some level of per user namespace stacking.
>> Say selinux outside and apparmor inside a
On 1/10/2013 4:46 PM, Eric W. Biederman wrote:
> John Johansen writes:
>
>> On 01/09/2013 05:28 AM, James Morris wrote:
>>> On Tue, 8 Jan 2013, John Johansen wrote:
>>>
> I'd say we need to see the actual use-case for Smack and Apparmor being
> used together, along with at least one
On 1/10/2013 4:46 PM, Eric W. Biederman wrote:
John Johansen john.johan...@canonical.com writes:
On 01/09/2013 05:28 AM, James Morris wrote:
On Tue, 8 Jan 2013, John Johansen wrote:
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least
Casey Schaufler ca...@schaufler-ca.com writes:
When a distro is run in a container it is desirable to be able to run
the distro's security policy in that container. Ideally this will get
addressed by being able to do some level of per user namespace stacking.
Say selinux outside and apparmor
On 01/10/2013 05:13 PM, Eric W. Biederman wrote:
> John Johansen writes:
>
>>> When a distro is run in a container it is desirable to be able to run
>>> the distro's security policy in that container. Ideally this will get
>>> addressed by being able to do some level of per user namespace
John Johansen writes:
>> When a distro is run in a container it is desirable to be able to run
>> the distro's security policy in that container. Ideally this will get
>> addressed by being able to do some level of per user namespace stacking.
>> Say selinux outside and apparmor inside a
On 01/10/2013 04:46 PM, Eric W. Biederman wrote:
> John Johansen writes:
>
>> On 01/09/2013 05:28 AM, James Morris wrote:
>>> On Tue, 8 Jan 2013, John Johansen wrote:
>>>
> I'd say we need to see the actual use-case for Smack and Apparmor being
> used together, along with at least one
John Johansen writes:
> On 01/09/2013 05:28 AM, James Morris wrote:
>> On Tue, 8 Jan 2013, John Johansen wrote:
>>
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least one major distro committing to support
this.
John Johansen wrote:
> On 01/09/2013 05:28 AM, James Morris wrote:
> > On Tue, 8 Jan 2013, John Johansen wrote:
> >
> >>> I'd say we need to see the actual use-case for Smack and Apparmor being
> >>> used together, along with at least one major distro committing to support
> >>> this.
> >>>
>
On 01/09/2013 05:28 AM, James Morris wrote:
> On Tue, 8 Jan 2013, John Johansen wrote:
>
>>> I'd say we need to see the actual use-case for Smack and Apparmor being
>>> used together, along with at least one major distro committing to support
>>> this.
>>>
>>>
>> Ubuntu is very interested in
John Johansen john.johan...@canonical.com writes:
On 01/09/2013 05:28 AM, James Morris wrote:
On Tue, 8 Jan 2013, John Johansen wrote:
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least one major distro committing to support
this.
On 01/10/2013 04:46 PM, Eric W. Biederman wrote:
John Johansen john.johan...@canonical.com writes:
On 01/09/2013 05:28 AM, James Morris wrote:
On Tue, 8 Jan 2013, John Johansen wrote:
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at
John Johansen john.johan...@canonical.com writes:
When a distro is run in a container it is desirable to be able to run
the distro's security policy in that container. Ideally this will get
addressed by being able to do some level of per user namespace stacking.
Say selinux outside and
On 01/10/2013 05:13 PM, Eric W. Biederman wrote:
John Johansen john.johan...@canonical.com writes:
When a distro is run in a container it is desirable to be able to run
the distro's security policy in that container. Ideally this will get
addressed by being able to do some level of per user
On 01/09/2013 05:28 AM, James Morris wrote:
On Tue, 8 Jan 2013, John Johansen wrote:
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least one major distro committing to support
this.
Ubuntu is very interested in stacking
Which
John Johansen wrote:
On 01/09/2013 05:28 AM, James Morris wrote:
On Tue, 8 Jan 2013, John Johansen wrote:
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least one major distro committing to support
this.
Ubuntu is very
On 1/9/2013 5:42 AM, James Morris wrote:
> On Tue, 8 Jan 2013, Casey Schaufler wrote:
>
>> What I was hoping to say, and apparently didn't, is that people
>> are developing "total" solutions in user space, when some of the
>> work ought to be done in an LSM. Work that is appropriate to the
>>
On Tue, 8 Jan 2013, Casey Schaufler wrote:
> What I was hoping to say, and apparently didn't, is that people
> are developing "total" solutions in user space, when some of the
> work ought to be done in an LSM. Work that is appropriate to the
> kernel is being done in user space. Often badly,
On Tue, 8 Jan 2013, John Johansen wrote:
> > I'd say we need to see the actual use-case for Smack and Apparmor being
> > used together, along with at least one major distro committing to support
> > this.
> >
> >
> Ubuntu is very interested in stacking
Which modules?
--
James Morris
--
To
On Tue, 8 Jan 2013, John Johansen wrote:
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least one major distro committing to support
this.
Ubuntu is very interested in stacking
Which modules?
--
James Morris
jmor...@namei.org
On Tue, 8 Jan 2013, Casey Schaufler wrote:
What I was hoping to say, and apparently didn't, is that people
are developing total solutions in user space, when some of the
work ought to be done in an LSM. Work that is appropriate to the
kernel is being done in user space. Often badly, because
On 1/9/2013 5:42 AM, James Morris wrote:
On Tue, 8 Jan 2013, Casey Schaufler wrote:
What I was hoping to say, and apparently didn't, is that people
are developing total solutions in user space, when some of the
work ought to be done in an LSM. Work that is appropriate to the
kernel is being
On 01/08/2013 01:12 AM, James Morris wrote:
> On Mon, 7 Jan 2013, Casey Schaufler wrote:
>
>> There has been an amazing amount of development in system security
>> over the past three years. Almost none of it has been in the kernel.
>> One important reason that it is not getting done in the
On Mon, Jan 7, 2013 at 5:54 PM, Casey Schaufler wrote:
> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
> [...]
> Signed-off-by: Casey Schaufler
Feel free to carry my Acked-by on the Yama bits and the core bits.
Looks great. :)
-Kees
--
Kees Cook
Chrome OS Security
--
To un
On Tue, Jan 8, 2013 at 9:14 AM, Casey Schaufler wrote:
> On 1/8/2013 1:12 AM, James Morris wrote:
>> Yama is special-cased and can stay that way.
>
> Yama is *not* a special case, it is an example. It is the kind
> of new thing that provides security that is not access control.
> It was special
On 01/08/2013 09:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook hand
On 1/8/2013 9:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list b
On 01/07/2013 08:54 PM, Casey Schaufler wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
A level of indirection has
On 1/8/2013 1:12 AM, James Morris wrote:
> On Mon, 7 Jan 2013, Casey Schaufler wrote:
>
>> There has been an amazing amount of development in system security
>> over the past three years. Almost none of it has been in the kernel.
>> One important reason that it is not getting done in the kernel is
On Mon, 7 Jan 2013, Casey Schaufler wrote:
> There has been an amazing amount of development in system security
> over the past three years. Almost none of it has been in the kernel.
> One important reason that it is not getting done in the kernel is
> that the current single LSM restriction
On Mon, 7 Jan 2013, Casey Schaufler wrote:
There has been an amazing amount of development in system security
over the past three years. Almost none of it has been in the kernel.
One important reason that it is not getting done in the kernel is
that the current single LSM restriction requires
On 1/8/2013 1:12 AM, James Morris wrote:
On Mon, 7 Jan 2013, Casey Schaufler wrote:
There has been an amazing amount of development in system security
over the past three years. Almost none of it has been in the kernel.
One important reason that it is not getting done in the kernel is
that
On 01/07/2013 08:54 PM, Casey Schaufler wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
A level of indirection has
On 1/8/2013 9:47 AM, Stephen Smalley wrote:
On 01/07/2013 08:54 PM, Casey Schaufler wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple
On 01/08/2013 09:47 AM, Stephen Smalley wrote:
On 01/07/2013 08:54 PM, Casey Schaufler wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple
On Tue, Jan 8, 2013 at 9:14 AM, Casey Schaufler ca...@schaufler-ca.com wrote:
On 1/8/2013 1:12 AM, James Morris wrote:
Yama is special-cased and can stay that way.
Yama is *not* a special case, it is an example. It is the kind
of new thing that provides security that is not access control.
On Mon, Jan 7, 2013 at 5:54 PM, Casey Schaufler ca...@schaufler-ca.com wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
[...]
Signed-off-by: Casey Schaufler ca...@schaufler-ca.com
Feel free to carry my Acked-by on the Yama bits and the core bits.
Looks great. :)
-Kees
--
Kees
On 01/08/2013 01:12 AM, James Morris wrote:
On Mon, 7 Jan 2013, Casey Schaufler wrote:
There has been an amazing amount of development in system security
over the past three years. Almost none of it has been in the kernel.
One important reason that it is not getting done in the kernel is
On Mon, Jan 07, 2013 at 20:02 -0800, Casey Schaufler wrote:
> On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
> > Let me ask Andrew's question: Why do you want to do this (what is the
> > use case)? What does this gain us?
>
> There has been an amazing amount of development in system security
>
On Mon, Jan 07, 2013 at 20:11 -0800, Casey Schaufler wrote:
> On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
> > You probably also want to think a bit harder about the order of the
> > patches - you should introduce new APIs before you use them and remove
> > calls to functions before you remove the
On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
> Hi Casey,
>
> On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell
> wrote:
>> Let me ask Andrew's question: Why do you want to do this (what is the
>> use case)? What does this gain us?
>>
>> Also, you should use unique subjects for each of the
On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
> Hi Casey,
>
> On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler
> wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a sing
Hi Casey,
On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell
wrote:
>
> Let me ask Andrew's question: Why do you want to do this (what is the
> use case)? What does this gain us?
>
> Also, you should use unique subjects for each of the patches in the
> series.
You probably also want to
Hi Casey,
On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler
wrote:
>
> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>
> Change the infrastructure for Linux Security Modules (LSM)s
> from a single vector of hook handlers to a list based method
> for handling m
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
A level of indirection has been introduced in the handling of
security blobs
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
A level of indirection has been introduced in the handling of
security blobs
Hi Casey,
On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler ca...@schaufler-ca.com
wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple
Hi Casey,
On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell s...@canb.auug.org.au
wrote:
Let me ask Andrew's question: Why do you want to do this (what is the
use case)? What does this gain us?
Also, you should use unique subjects for each of the patches in the
series.
You probably
On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
Hi Casey,
On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler ca...@schaufler-ca.com
wrote:
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers
On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
Hi Casey,
On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell s...@canb.auug.org.au
wrote:
Let me ask Andrew's question: Why do you want to do this (what is the
use case)? What does this gain us?
Also, you should use unique subjects for each
On Mon, Jan 07, 2013 at 20:11 -0800, Casey Schaufler wrote:
On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
You probably also want to think a bit harder about the order of the
patches - you should introduce new APIs before you use them and remove
calls to functions before you remove the
On Mon, Jan 07, 2013 at 20:02 -0800, Casey Schaufler wrote:
On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
Let me ask Andrew's question: Why do you want to do this (what is the
use case)? What does this gain us?
There has been an amazing amount of development in system security
over the
54 matches
Mail list logo