Announcement

Collapse
No announcement yet.

Linux Kernel "LOCKDOWN" Ported To Being An LSM, Still Undergoing Review

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux Kernel "LOCKDOWN" Ported To Being An LSM, Still Undergoing Review

    Phoronix: Linux Kernel "LOCKDOWN" Ported To Being An LSM, Still Undergoing Review

    It didn't make it for the Linux 5.2 kernel and now it's up to its 33rd revision on the Linux kernel mailing list... The "lockdown" patches for locking down access to various kernel hardware features has been reworked now and is a Linux Security Module (LSM) as it still tries to get enough endorsements to be mainlined...

    http://www.phoronix.com/scan.php?pag...x-Lockdown-LSM

  • #2

    Moving this to the LSM brings it one step closer to being a feature of SELinux policy (which is basically what this should have been from the start). "They who misunderstand SELinux are destined to reinvent it badly", I guess...

    Comment


    • #3
      Those who misunderstand that complex software is too complex so it gets reinvented badly are bound to reinvent complex software so complex it is bound to be reinvented badly.

      Comment


      • #4
        Originally posted by uxmkt View Post
        Those who misunderstand that complex software is too complex so it gets reinvented badly are bound to reinvent complex software so complex it is bound to be reinvented badly.
        I dunno exactly what you're trying to say here but, while SELinux isn't trivial, it only took two weeks or so to get my head around (Bind, SendMail, OpenSSL, systemd I would all describe as a similar level of complexity). Compared to things that we talk about on this website - OpenGL and Vulkan that took me a month or so to get a cube to display - it's fairly straight forward.

        In any case, SELinux is a thing that sits on the LSM and provides policy files to configure system-wide mandatory security features (basically blanket and per-process sandboxes that you can't sudo or chmod to get around). It works by default out of the box on many distros. Adding these new "lockdown settings" as an additional policy that could just be enabled by default seems like a nice idea. Other LSM security systems (GRSecurity, etc) presumably can now also switch this on by default if they think want, without having to recompile the kernel...

        Comment

        Working...
        X