this post was submitted on 15 Dec 2025
99 points (100.0% liked)

Linux

10737 readers
731 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
99
Torvalds On Linux Security Modules: "I Already Think We Have Too Many Of Those Pointless Things" (www.phoronix.com)
submitted 1 week ago by cm0002@literature.cafe to c/linux@programming.dev
12 comments fedilink hide all child comments
 

Stemming from a security researcher and his team proposing a new Linux Security Module (LSM) three years ago and it not being accepted to the mainline kernel, he raised issue over the lack of review/action to Linus Torvalds and the mailing lists. In particular, seeking more guidance for how new LSMs should be introduced and raised the possibility of taking the issue to the Linux Foundation Technical Advisory Board (TAB).

This mailing list post today laid out that a proposed TSEM LSM for a framework for generic security modeling was proposed but saw little review activity in the past three years or specific guidance on getting that LSM accepted to the Linux kernel. Thus seeking documented guidance on new Linux Security Module submissions for how they should be optimally introduced otherwise the developers are "prepared to pursue this through the [Technical Advisory Board] if necessary."

you are viewing a single comment's thread
view the rest of the comments
[โ€“] MNByChoice@midwest.social 1 points 1 week ago (1 children)

A list of Linux Security Modules is at https://en.wikipedia.org/wiki/Linux_Security_Modules

List of Linux Security Modules

snark(I didn't read the wiki page closely. Why was the heading "Adoption" and not something more clear?)

AppArmor
Integrity Policy Enforcement (IPE)[6]
Landlock[7][8]
LoadPin[9]
SafeSetID[10]
SELinux
Smack
TOMOYO
Yama[11]

As a long time SysAdmin, but not your SysAdmin, I have used two of these. Both had terrible documentation for which many "must use" paid software vendors advise disabling the Security Module as a first step.

If random software vendors' lowest paid intern cannot figure out the settings for arbitrary Linux Security Modules, then the first line of the directions will always be to disable the security module. This leads to them not being used in many cases where the security module would be helpful.

snark(To explain, it is only the cheapest and most inexperienced person that is typically responsible for doing things as they are not in meetings all day.)

I agree with Linus.

[โ€“] rmt@programming.dev -1 points 1 week ago* (last edited 6 days ago) (1 children)

If the lowest paid intern gets to use AI, then it will probably help them configure it properly.. the docs generally aren't bad (of the ones I've seen/used), but they're not newbie/intern level docs.

edit: That's a lot of downvotes for suggesting AI is useful at a primarily language/grammatical problem (ie. helping to crafting security/sandbox policy DSLs from terse docs and examples)? I detect some gut-reaction insecurities in these parts. ๐Ÿ™ƒ

[โ€“] bitcrafter@programming.dev 1 points 1 week ago

I barely trust natural intelligence with anything relating to security.