|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2019-11-20 20:19:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] LSM stacking and the future
The idea of stacking (or chaining) Linux
security modules (LSMs) goes back
15 years (at least) at this point; progress
has definitely been made along
the way, especially in the last decade or so. It has been possible to
stack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) for
some time, but mixing, say, SELinux and AppArmor in the same
system has not been possible. Combining major security solutions may not
seem like a truly important feature, but there is a use case where it is
pretty clearly needed: containers. Longtime LSM stacker (and Smack
maintainer) Casey Schaufler
gave a presentation at the 2019
Linux Security Summit Europe to report on the status and plans for
allowing arbitrary LSM stacking.
The idea of stacking (or chaining) Linux
security modules (LSMs) goes back
15 years (at least) at this point; progress
has definitely been made along
the way, especially in the last decade or so. It has been possible to
stack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) for
some time, but mixing, say, SELinux and AppArmor in the same
system has not been possible. Combining major security solutions may not
seem like a truly important feature, but there is a use case where it is
pretty clearly needed: containers. Longtime LSM stacker (and Smack
maintainer) Casey Schaufler
gave a presentation at the 2019
Linux Security Summit Europe to report on the status and plans for
allowing arbitrary LSM stacking.
