[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dazuko-devel] Re: Dazuko module packaging in Linux distributions

From: Eneko Lacunza
Subject: [Dazuko-devel] Re: Dazuko module packaging in Linux distributions
Date: Wed, 30 Aug 2006 08:59:14 +0200

Hi John,

El mar, 29-08-2006 a las 17:31, John Ogness escribió:
Eneko Lacunza wrote:
> Have you ever tried to submit Dazuko to upstream Linux kernel tree?
No, but I have talked to many "important" kernel developers about it. The
current version of Dazuko would never be accepted into the mainline because:
1. LSM is on its way out of the kernel. It is a flawed and ugly interface
that should never have been created. For this reason, they do not want to
accept any new additional LSM modules in the mainline.
    I've noticed some traffic lately in linux-security-modules mailing list, with patches for a new module been submitted. Anyway, it is clear that LSM has important problems.

The correct solution for intercepting events is using a stackable
filesystem. This is exactly what DazukoFS is. Although DazukoFS has been
working in a test environment for over a year, I have not had the time to
polish it up for an official preview release. Once DazukoFS is available
(3.0.x), we may have a chance of getting into the mainline kernel.
    Do you have any date estimates for a preview?   

But there are several other parts of Dazuko that may need to be
significantly rewritten to better match the style of UNIX development. Here
I am talking specifically about the communication protocol between user
applications and the kernel. This is currently being done by passing user
buffers into the kernel for communicating. Although this works well (and is
quite effecient), it is very non-UNIX-like and may also come under fire.
    I think we'll know about this when you submit the module to a linux development tree :)

> Instead, have you tried to talk to Linux distribution packagers, so that
> they include dazuko as part of the kernel package?
I have very close contact with Novell/SUSE. Until recently, they have always
shipped with a Dazuko module. However, their new AppArmor application comes
in conflict with Dazuko, which is why we needed to start using syscall
hooking instead of LSM. But I am not sure if they will allow Dazuko back
with syscall hooking.

We have had contact with RedHat several times, but the response is usually
quite negative. RedHat has many kernel developers, so the syscall hooking is
not ok for them.

Gentoo, Debian, and Ubuntu already have packages for Dazuko (though not all
    The problem with those packages is that usually they're not updated when there is a kernel module ABI change. And even if they are, usually the user has to install the package with the new ABI manually. Or other times it is a source containing package (debian) so the user has to recompile the module.

    Have you noticed that Ubuntu 6.06 kernel ships with dazuko 2.2.0 starting with kernel package 2.6.15-26.46? :-)

    Maybe we can talk to other distros for the same approach; RedHat and Novell will be difficult, but maybe others will be more pragmatic. This solves lots of problems both to the users and developers.

> I think this is a common problem for many of us, so maybe we can try to
> work together to improve our users' experience.
I agree. My main goal is getting DazukoFS ready. This is a technical point
that is quite important for acceptance of Dazuko. Once DazukoFS is ready,
distributions will not have much of an argument why they shouldn't accept
it. Although the functionality won't change with DazukoFS, the technical
concept is quite different, which is important for kernel and distribution

    I agree. This should make dazuko to be in the Linus kernel tree sooner or later, and after that all kernel module ABI change related problems will be gone :)



Eneko Lacunza
I+D Dpt.
Panda Software - Bilbao (Spain) - http://www.pandasoftware.es

reply via email to

[Prev in Thread] Current Thread [Next in Thread]