Linux Security Modules - Criticism

Criticism

Some Linux kernel developers dislike LSM for a variety of reasons. LSM strives to impose the least overhead possible, especially in the case where no module is loaded, but this cost is not zero, and some Linux developers object to that cost. LSM is designed to provide only for access control, but does not actually prevent people from using LSM for other reasons, and so some Linux kernel developers dislike that it can be "abused" by being used for other purposes, especially if the purpose is to bypass the Linux kernel's GPL license with a proprietary module to extend Linux kernel functionality.

Some security developers also dislike LSM. The author of grsecurity dislikes LSM because of its history, and that because LSM exports all of its symbols it facilitates the insertion of malicious modules (rootkits) as well as security modules. The author of RSBAC dislikes LSM because it is incomplete with respect to the needs of RSBAC. In particular, the author of RSBAC argues that: "LSM is only about additional, restrictive access control. However, the RSBAC system provides a lot of additional functionality, e.g. symlink redirection, secure_delete, partial Linux DAC disabling. All this has to be patched into kernel functions in a separate patch.". The author of Dazuko argues that targeting the LSM API is a moving target, as it changes with each kernel release, leading to extra maintenance work. Other developers would like to have LSM modules stacked, e.g. the developer of the Yama LSM.

Read more about this topic:  Linux Security Modules

Famous quotes containing the word criticism:

    As far as criticism is concerned, we don’t resent that unless it is absolutely biased, as it is in most cases.
    John Vorster (1915–1983)

    However intense my experience, I am conscious of the presence and criticism of a part of me, which, as it were, is not a part of me, but a spectator, sharing no experience, but taking note of it, and that is no more I than it is you. When the play, it may be the tragedy, of life is over, the spectator goes his way. It was a kind of fiction, a work of the imagination only, so far as he was concerned.
    Henry David Thoreau (1817–1862)

    I hold with the old-fashioned criticism that Browning is not really a poet, that he has all the gifts but the one needful and the pearls without the string; rather one should say raw nuggets and rough diamonds.
    Gerard Manley Hopkins (1844–1889)