LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Seccomp: replacing security modules?

Seccomp: replacing security modules?

Posted May 19, 2011 21:18 UTC (Thu) by dlang (✭ supporter ✭, #313)
Parent article: Seccomp: replacing security modules?

even if this gets implemented, there will still be a need for LSM like frameworks.

it doesn't really matter how a call to open() is hooked into, what matters is what checks are done, and the checks done for SELinux are going to be very different than the checks done by AppArmor (and they will be looking at very different datastructures to determine if the access should be allowed), even if they are both hooking into the same tracepoints to implement their check.

I like the concept, it would be a lot of churn for the existing LSM modules to change from using the LSM hooks to using the trace hooks, but if it allows for layered policy enforcers (what have previously been called LSM modules), this would probably make it worth it by itself.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds