Re: [RFC] cgroups: implement device whitelist lsm (v2)

[Serge E. Hallyn]

Quoting James Morris (jmorris@xxxxxxxxx):
> On Thu, 13 Mar 2008, Serge E. Hallyn wrote:
> 
> > That does make for a simpler implementation at this point, however if
> > any other such LSMs come along (as Casey seemed to think they would) the
> > end result could end up being horrible spaghetti code of dependencies
> > and interrelated configs.
> 
> That can be addressed as the need arises.  A basic tenet of kernel 
> development is to avoid speculative infrastructure.

True, but while this change simplifies the code a bit, the semantics
seem more muddled - devcg will be enforcing when CONFIG_CGROUP_DEV=y
and:

	SECURITY=n or
	rootplug is enabled
	capabilities is enabled
	smack is enabled
	selinux+capabilities is enabled

It will not be enforcing when
	dummy is loaded
	only selinux (and not capabilities) is loaded

If that's ok with people then I'm fine with it.  I suppose it should be
explained in the CONFIG_CGROUP_DEV help section, which it isn't in this
version I'm about to set.  Patch hitting the wire in a minute.

thanks,
-serge

> > But OTOH we went years with no such changes, so that's probably not a
> > particularly practical concern unless someone can cite specific upcoming
> > examples.  So if noone objects I'll try that approach.
> 
> -- 
> James Morris
> <jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/