[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: realtime-lsm and Debian kernel

Quoting Horms <horms@debian.org>:

> On Tue, Oct 11, 2005 at 01:27:27PM +0200, Christoph Hellwig wrote:
> > On Tue, Oct 11, 2005 at 06:24:20AM -0500, Geiger Guenter wrote:
> > > This means that it has to be dropped. Thats ok with me, it means less
> > > work. What was the reason again for not including the capabilities as
> > > a module ?
> >
> > Making Security modules actually modular means they don't have the full
> > view of the process and generally is a bad idea.  For the specific case
> > of capabilities there even was an exploit in the past.  If we want to
> > support a given security module in debian we should compile it into the
> > kernel statically.
>
> If I recall, lsm wasn't well recieved upstream, in which case
> dropping it is probably a good idea anyway.

Yes its true that it wasn't accepted upstream, but it is, security wise,
still the best solution to gain the necessary realtime permissions for audio
work. That's the main reason why I don't want to throw it away without a
thought. If I understand correctly the modular approach would be acceptable if
the capabilities module would not be removable.
I think this should be achievable.

Günter




>
> --
> Horms
>
>




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Reply to: