Re: realtime-lsm and Debian kernel
On Tue, Oct 11, 2005 at 01:27:27PM +0200, Christoph Hellwig wrote:
> On Tue, Oct 11, 2005 at 06:24:20AM -0500, Geiger Guenter wrote:
> > This means that it has to be dropped. Thats ok with me, it means less
> > work. What was the reason again for not including the capabilities as
> > a module ?
>
> Making Security modules actually modular means they don't have the full
> view of the process and generally is a bad idea. For the specific case
> of capabilities there even was an exploit in the past. If we want to
> support a given security module in debian we should compile it into the
> kernel statically.
If I recall, lsm wasn't well recieved upstream, in which case
dropping it is probably a good idea anyway.
--
Horms
Reply to: