this post was submitted on 15 Dec 2025
83 points (100.0% liked)

Linux

10605 readers
429 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
83
Torvalds On Linux Security Modules: "I Already Think We Have Too Many Of Those Pointless Things" (www.phoronix.com)
submitted 19 hours ago by cm0002@literature.cafe to c/linux@programming.dev
11 comments fedilink hide all child comments
 

Stemming from a security researcher and his team proposing a new Linux Security Module (LSM) three years ago and it not being accepted to the mainline kernel, he raised issue over the lack of review/action to Linus Torvalds and the mailing lists. In particular, seeking more guidance for how new LSMs should be introduced and raised the possibility of taking the issue to the Linux Foundation Technical Advisory Board (TAB).

This mailing list post today laid out that a proposed TSEM LSM for a framework for generic security modeling was proposed but saw little review activity in the past three years or specific guidance on getting that LSM accepted to the Linux kernel. Thus seeking documented guidance on new Linux Security Module submissions for how they should be optimally introduced otherwise the developers are "prepared to pursue this through the [Technical Advisory Board] if necessary."

top 11 comments
sorted by: hot top controversial new old
[–] GlenRambo@jlai.lu 2 points 5 hours ago

Where can I find more info on his Linux as an organisation is run/structured? As in what hand does Linus play, what are these mailing lists, how do the devs work on things and how are they approved, what role rhe TAB (and others?) plays etc.

[–] MNByChoice@midwest.social 17 points 12 hours ago (1 children)

A list of Linux Security Modules is at https://en.wikipedia.org/wiki/Linux_Security_Modules

List of Linux Security Modules

snark(I didn't read the wiki page closely. Why was the heading "Adoption" and not something more clear?)

AppArmor
Integrity Policy Enforcement (IPE)[6]
Landlock[7][8]
LoadPin[9]
SafeSetID[10]
SELinux
Smack
TOMOYO
Yama[11]

As a long time SysAdmin, but not your SysAdmin, I have used two of these. Both had terrible documentation for which many "must use" paid software vendors advise disabling the Security Module as a first step.

If random software vendors' lowest paid intern cannot figure out the settings for arbitrary Linux Security Modules, then the first line of the directions will always be to disable the security module. This leads to them not being used in many cases where the security module would be helpful.

snark(To explain, it is only the cheapest and most inexperienced person that is typically responsible for doing things as they are not in meetings all day.)

I agree with Linus.

[–] Cris_Color@lemmy.world 16 points 16 hours ago (2 children)

What exactly is a linux security module? Like what do they do?

Like when there's a security issue, it gets patched- what does a module of some kind add to that?

[–] lmmarsano@lemmynsfw.com 11 points 16 hours ago* (last edited 16 hours ago)

Search result for Linux Security Modules

Linux Security Modules (LSM) is a framework allowing the Linux kernel to support, without bias, a variety of computer security models.

ie, implement security policies other than the standard model such as mandatory access controls.

[–] l3db3tt3r@piefed.social 2 points 16 hours ago (2 children)

"Yes, I know that security people always think they know best, and they all disagree with each other, which is why we already have tons of security modules. Ask ten people what model is the right one, and you get fifteen different answers."

"I'm not in the least interested in becoming some kind of arbiter or voice of sanity in this."

How do you even get to a consensus model to tease these things out; when your answer is a refusal to engage with "pointless" things?

It just seems contentious to me, that anyone when considering this kind of rhetoric, would make claims in regards to the level of security that Linux (may) provide. It just feels something akin to playing in the realm of security theater.

[–] raviiishing@sh.itjust.works 7 points 5 hours ago

Man, some people just love wasting others' time and then getting mad when they say no more.

[–] themoken@startrek.website 32 points 16 hours ago (1 children)

Linus' apathy may keep ten different competing security ideas from each being mainlined, but it's not impossible for them to continue and prove their worth out of tree until some sort of coherent best practices are established.

Meanwhile, actual security issues will continue to be patched as needed and Linux remains the most analyzed and targeted kernel in the world.

[–] ulterno@programming.dev 1 points 4 hours ago

prove their worth out of tree until some sort of coherent best practices are established

I feel like this is what the Technical Advisory Board should be replying with.