In a brief follow up to the earlier pluggable security discussion, Thomas Fricaccia reflected on the implications for the various security frameworks, "I noticed James Morris' proposal to eliminate the LSM in favor of ordaining SELinux as THE security framework forever and amen, followed by the definitive decision by Linus that LSM would remain." He then commented on a recent merged patch preventing the loading of security modules into a running kernel, "but then I noticed that, while the LSM would remain in existence, it was being closed to out-of-tree security frameworks. Yikes! Since then, I've been following the rush to put SMACK, TOMOYO and AppArmor 'in-tree'." Linus Torvalds replied:
"Yeah, it did come up. Andrew, when he sent it on to me, said that the SuSE people were ok with it (AppArmor), but I'm with you - I applied it, but I'm also perfectly willing to unapply it if there actually are valid out-of-tree users that people push for not merging. So Í don't think this is settled in any way - please keep discussing, and bringing it up. I'm definitely not in the camp that thinks that LSM needs to be 'controlled', but on the other hand, I'm also not going to undo that commit unless there are good real arguments for undoing it (not just theoretical ones).
"For example, I do kind of see the point that a 'real' security model might want to be compiled-in, and not something you override from a module. Of course, I'm personally trying to not use any modules at all, so I'm just odd and contrary, so whatever.. Real usage scenarios with LSM modules, please speak up!"
"'TOMOYO Linux' is our work in the field of security enhanced Linux," Kentaro Takeda began, describing 15 patches posted to the Linux Kernel mailing list. He noted that in an earlier version of the patches posted just prior to the recent Kernel summit, TOMOYO Linux's Mandatory Access Control was limited to files. In the new patch, he explained, "now TOMOYO Linux has access control functionality not only for files but also for networking, signal transmission and namespace manipulation and we got the source code cleaned-up." Kentaro went to provide an overview:
"The fundamental concept of TOMOYO Linux is 'tracking process invocation history'.
"The 'struct task_struct'->security member holds a pointer to the 'process invocation history'. Thus, every process (the kernel, /sbin/init process and any children/descendant of /sbin/init) knows its 'process invocation history' (or ancestors). Since every process knows its ancestors, TOMOYO Linux can enforce access control over all processes."