Re: [PATCH V2 06/15] taint: Add taint for insecure
From: hpa
Date: Thu May 31 2018 - 16:50:52 EST
On May 31, 2018 1:25:39 PM PDT, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
>On Thu, May 31, 2018 at 10:58 AM Chang S. Bae
><chang.seok.bae@xxxxxxxxx> wrote:
>>
>> When adding new feature support, patches need to be
>> incrementally applied and tested with temporal parameters.
>> For such testing (or root-only) purposes, the new flag
>> will serve to tag the kernel taint state properly.
>
>I'm okay with this, I guess, but I'm not at all convinced we need it.
This was my idea. It isn't the only thing that may want it, and I think it is critical that we give the system a way to flag that the system contains experimental code that is known to break security. Sometimes that kind of experimental code is useful (I have written some myself, e.g. to treat SMAP), but it is a good idea to be able to flag such a kernel permanently, even if it's a module that can be removed.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.