[Dazuko-devel] Re: Dazuko module packaging in Linux distributions

[Eneko Lacunza]

Hi John,

El mar, 29-08-2006 a las 17:31, John Ogness escribió:
> Eneko Lacunza wrote:
> > Have you ever tried to submit Dazuko to upstream Linux kernel tree?
> No, but I have talked to many "important" kernel developers about it. The
> current version of Dazuko would never be accepted into the mainline because:
> 1. LSM is on its way out of the kernel. It is a flawed and ugly interface
> that should never have been created. For this reason, they do not want to
> accept any new additional LSM modules in the mainline.
    I've noticed some traffic lately in linux-security-modules mailing list, with patches for a new module been submitted. Anyway, it is clear that LSM has important problems.

[...]
> The correct solution for intercepting events is using a stackable
> filesystem. This is exactly what DazukoFS is. Although DazukoFS has been
> working in a test environment for over a year, I have not had the time to
> polish it up for an official preview release. Once DazukoFS is available
> (3.0.x), we may have a chance of getting into the mainline kernel.
    Do you have any date estimates for a preview?    

> But there are several other parts of Dazuko that may need to be
> significantly rewritten to better match the style of UNIX development. Here
> I am talking specifically about the communication protocol between user
> applications and the kernel. This is currently being done by passing user
> buffers into the kernel for communicating. Although this works well (and is
> quite effecient), it is very non-UNIX-like and may also come under fire.
    I think we'll know about this when you submit the module to a linux development tree :)

> > Instead, have you tried to talk to Linux distribution packagers, so that
> > they include dazuko as part of the kernel package?
> I have very close contact with Novell/SUSE. Until recently, they have always
> shipped with a Dazuko module. However, their new AppArmor application comes
> in conflict with Dazuko, which is why we needed to start using syscall
> hooking instead of LSM. But I am not sure if they will allow Dazuko back
> with syscall hooking.
>
> We have had contact with RedHat several times, but the response is usually
> quite negative. RedHat has many kernel developers, so the syscall hooking is
> not ok for them.
>
> Gentoo, Debian, and Ubuntu already have packages for Dazuko (though not all
> up-to-date).
    The problem with those packages is that usually they're not updated when there is a kernel module ABI change. And even if they are, usually the user has to install the package with the new ABI manually. Or other times it is a source containing package (debian) so the user has to recompile the module.

    Have you noticed that Ubuntu 6.06 kernel ships with dazuko 2.2.0 starting with kernel package 2.6.15-26.46? :-)

    Maybe we can talk to other distros for the same approach; RedHat and Novell will be difficult, but maybe others will be more pragmatic. This solves lots of problems both to the users and developers.

> > I think this is a common problem for many of us, so maybe we can try to
> > work together to improve our users' experience.
> I agree. My main goal is getting DazukoFS ready. This is a technical point
> that is quite important for acceptance of Dazuko. Once DazukoFS is ready,
> distributions will not have much of an argument why they shouldn't accept
> it. Although the functionality won't change with DazukoFS, the technical
> concept is quite different, which is important for kernel and distribution
> maintainers.

    I agree. This should make dazuko to be in the Linus kernel tree sooner or later, and after that all kernel module ABI change related problems will be gone :)

Thanks.

Regards,

-- 
Eneko Lacunza
I+D Dpt.
Panda Software - Bilbao (Spain) - http://www.pandasoftware.es