Re: [GIT PULL] tomoyo update for v6.12

From: Tetsuo Handa
Date: Wed Oct 02 2024 - 19:09:44 EST


On 2024/10/02 23:01, Paul Moore wrote:
>> Now that built-in LSM modules started using __ro_after_init static calls, !built-in
>> LSM modules can start using !__ro_after_init linked list without affecting built-in
>> LSM modules. I can't understand why Paul does not like it.
>
> A *lot* of effort has gone into both hardening and improving the
> performance of the LSM framework. I'm loath to introduce anything
> which would take away from those gains, especially if it is only done
> to satisfy out-of-tree LSMs, or users who don't agree with their
> distro kernel's build-time configuration.

Forcing distro users to rebuild distro kernels (with or without modified
kernel configurations) is no longer a viable solution.

Since cryptography (e.g. module signing keys) is getting used inside kernels,
noone except the one who has the private key and has built the original kernel
can reproduce the same behavior/functionality (even without modified kernel
configurations). Also, from package management perspective, users get confused
by being forced to use different package names/versions (when installing kernel
related packages) and breaking package dependency (when installing userspace
packages). You said

Comparing userspace applications to kernel code isn't a fair
comparison as a userspace application can generally be added without
impacting the other applications on the system.

Anyone is always free to build their own kernel with whatever code
changes they like, this is the beauty of the kernel source being
available and licensed as Open Source. You are free to build a kernel
with whatever LSM you like included and enabled. You have been shown
examples on how to do this in previous threads.

at https://lkml.kernel.org/r/CAHC9VhQq0-D=p9Kicx2UsDrK2NJQDyn9psL-PWojAA+Y17WiFQ@xxxxxxxxxxxxxx .
But due to above-mentioned realities, your assertion no longer stands.
Kernel source itself might be open, but private keys cannot be open.
The vmlinux cannot be rebuilt without forcing penalties (i.e. having a
negative impact on the user side, which cannot be a viable solution).