Re: [GIT PULL] Security subsystem updates for 4.14

From: Paul Moore
Date: Fri Sep 08 2017 - 13:36:38 EST

On Fri, Sep 8, 2017 at 1:25 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, Sep 8, 2017 at 12:09 AM, Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
>> But yes, for the init-time integrity_read_file this is incorrect.
>> It never tripped up, and I explicitly added the lockdep annotations
>> so that anything would show up, and it's been half a year since
>> I sent that first RFC patch..
> I don't think anybody actually tests linux-next kernels in any big
> way, and the automated tests that do get run probably don't run with
> any integrity checking enabled.
> Which is why I actually look at the code when merging unexpected stuff.
> This is also why I tend to prefer getting multiple branches for
> independent things.
> Now the whole security pull will be ignored because of this thing. I
> refuse to pull garbage where I notice major fundamental problems in
> code that has obviously never ever been tested.

Is it time to start sending pull request for each LSM and thing under
security/ directly? I'm not sure I have a strong preference either
way, I just don't want to see the SELinux changes ignored during the
merge window.

paul moore