https://lwn.net/Articles/458652/ This is a special feed containing comments posted to the individual LWN article titled "LSS: LSM roundtable". en-us Sun, 09 Nov 2025 07:47:49 +0000 Sun, 09 Nov 2025 07:47:49 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/522874/ https://lwn.net/Articles/522874/ sethml <div class="FormattedComment"> Perhaps an incremental approach to stacking would make it happen sooner: pick a set of features that make stacking hard (eg 32-bit security ids) and define any lsm which does not use those features as "lightweight". Then allow stacking of any number or lightweight modules and zero or one heavyweight module. Hopefully that would allow Yama to be stacked. Over time add difficult features to expand the definition of lightweight until more modules can be stacked.<br> </div> Sun, 04 Nov 2012 18:04:25 +0000 https://lwn.net/Articles/459460/ https://lwn.net/Articles/459460/ Cyberax <div class="FormattedComment"> Yeah.<br> <p> How about this: if AppArmor work is finished before Wheeze release, then I'll send you a case of beer. Alternatively, I'll buy you a year of "maniacal supporter" subscription for LWN.<br> </div> Tue, 20 Sep 2011 02:45:15 +0000 https://lwn.net/Articles/459306/ https://lwn.net/Articles/459306/ BenHutchings <a href="http://bugs.debian.org/598408">#598408</a> Sun, 18 Sep 2011 17:21:23 +0000 https://lwn.net/Articles/459302/ https://lwn.net/Articles/459302/ kreutzm <p>Hello Cyberax,</p> <p> probably the best way forward is to <a href="http://bugs.debian.org">file a wishlist bug</a> ASAP.</p> Sun, 18 Sep 2011 15:14:08 +0000 https://lwn.net/Articles/459235/ https://lwn.net/Articles/459235/ Cyberax <div class="FormattedComment"> Please, please, please add AppArmor support in time for Wheeze.<br> <p> </div> Fri, 16 Sep 2011 18:46:37 +0000 https://lwn.net/Articles/459114/ https://lwn.net/Articles/459114/ BenHutchings <blockquote>Debian currently only compiles one LSM (SELinux) into its kernel due to the memory that gets wasted by the unused code for inactive LSMs.</blockquote> <p>Actually we have TOMOYO as well.</p> <blockquote>But Cook said all that was really needed was a way to unload all but the active LSM. As long as this unloading mechanism didn't touch the active LSM, and that the feature itself was optional, no one seemed to object to it. So it is mostly just a matter of someone finding the time to write the code.</blockquote> <p>This remains on my to-do list. I did make a start on this, and got as far as crashing the kernel at boot. ;-)</p> Thu, 15 Sep 2011 17:05:58 +0000 https://lwn.net/Articles/459099/ https://lwn.net/Articles/459099/ joey <div class="FormattedComment"> While reading this I kept seeing parallels to the problem of combining monads in haskell. Simple stacking won't do; the current solution of monad transformers essentially requires each possible combination of monads to be coded up separately. While that's a combinatorial explosion, luckily haskell only has 4 or 5 commonly used monads so it's manageable.<br> <p> Anyway, that's way out there and advanced mathematics will probably not come to the kernel's rescue the way it often comes to haskell's, but I thought it was an interesting way of looking at this.<br> </div> Thu, 15 Sep 2011 15:17:41 +0000 https://lwn.net/Articles/459047/ https://lwn.net/Articles/459047/ trasz <div class="FormattedComment"> It may be worth mentioning that e.g. FreeBSD (and thus MacOS X, which uses the FreeBSD MAC framework) solved this problem almost a decade ago.<br> <p> </div> Thu, 15 Sep 2011 09:43:55 +0000