[opensuse-factory] Move dazuko into kernel?
Hello, The current dazuko package in openSUSE 11.0 contains dazuko and redirfs, with a configuration setting to make dazuko use the redirfs interface instead of LSM. (Because dazuko is compiled as an external module, LSM is not available to it.) But there is a new dazuko version (2.3.5-pre1) which puts dazuko into the kernel as an LSM which can be turned on/off via a boot parameter (like AppArmor). I think this would be a good approach, since I believe that dazuko as an LSM has had more production-level testing than redirfs. Thoughts? Thanks, Ann --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Mar 31, 2008 at 09:34:25AM -0600, Ann Davis wrote:
What are the plans for dazuko to be submitted to the upstream kernel and accepted there? We have a policy of only adding patches to our kernel tree that are already accepted by the upstream community, otherwise we end up with big support problems (remember the ckrm mess...) We also accept patches from our kernel engineers that are not accepted upstream, but in that case, they are responsible for maintaining and supporting them. dazuko doesn't seem to fit into that category. thanks, greg k-h --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Greg KH wrote:
Thanks for your comments. I've asked John at dazuko.org about upstreaming this dazuko kernel patch, so we'll see... But I think his focus is more on developing (and eventually upstreaming) the new dazukofs approach. BTW, the patch to put dazuko in-kernel is very contained; it just adds a security/dazuko directory and doesn't mess w/ any other files. So it *could* be easily dropped if necessary... ;-) As a note: With the latest kernel changes, a lot of anti-virus vendors are going to have to re-architect their solutions. It would be nice if we could provide them w/ a stable, in-kernel interface. Given that we don't have an upstream solution yet, putting dazuko in-kernel seems like a relatively contained way to solve a customer/partner problem. In the meantime, I'll keep working w/ the current dazuko-redirfs KMP and try to get some testing in place. Ann --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Mar 31, 2008 at 01:51:32PM -0600, Ann Davis wrote:
That's not the issue. The issue is that if it shows up in our kernel, we have to support it in some manner. If it's upstream, we know it will be supported by upstream. If not, then it's our job. And I do not think that anyone here wants to support dazuko, I know I sure don't.
And I'd like a pony :)
That is assuming that dazuko is such an interface, works properly, doesn't expose more security holes than it fixes, and that the virus vendors use it. That's a lot of ifs to come true... good luck, greg k-h --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (2)
-
Ann Davis -
Greg KH