[arch-general] [arch-dev-public] Trimming down our default kernel configuration

Thomas Bächler thomas at archlinux.org
Thu Mar 27 10:40:03 EDT 2014

Am 27.03.2014 15:24, schrieb Simon Brand:
> Am 27.03.2014 13:46, schrieb Thomas Bächler:
>> Do you even know what that means? If I see this right, every time
>> the kernel needs to do some permission check, it needs to ask "are
>> we using LSM xyz?". In any case, it's more code and thus more room
>> for failure.
> Not necessarily, i do not know the code of all the policy enforcement
> points, but if you have a function pointer to the policy decision
> function, you only have to query this function. So if you enable
> SELinux, you let the pointer point to the SELinux function.

Do you know that Linux operates this way? If so, at least we don't have
to assume that performance suffers. This again begs the question, why do
the LSMs need to be built-in? Why can't they be modular?

I don't expect you to answer these questions, they are just things that
I consider.

Perhaps let me rephrase my rationale: If we include support for an LSM
in Linux, it should be because we support it in our user-space, too. I
don't see SELinux being supported by default in Arch anytime soon. _If_
at some point we make a decision to support it (optional or by default),
we can enable it in the kernel.

The whole idea of trimming down the kernel is to stop enabling things
because some users _may_ _possibly_ want to use them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140327/506b6e17/attachment.asc>

More information about the arch-general mailing list