Re: Inodes hooks example

Previous message: Serge E. Hallyn: "Re: Inodes hooks example"
In reply to: Greg KH: "Inodes hooks example"
Next in thread: Greg KH: "Re: Inodes hooks example"
Reply: Greg KH: "Re: Inodes hooks example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

morganat_private

Greg KH wrote:
> Comments?  Flames?  Contrasting visions?  Praise?

+
+       /* check that we have permission to do this */
+       retval = security_ops->ioperm();
+       if (retval) {
+               return retval;
+       }
+

[...]

+       err = security_ops->inode_ops->follow_link(dentry, nd);
+       if (err)
+               goto loop;

These are samples from your patch. First, wouldn't it be more efficient
to implement this as:

  SECURITY_HOOK_RETURN_ERROR(retval,basic_ops,ioperm,(),"ioperm
privilege required");

[...]

  SECURITY_HOOK(err,inode_ops,follow_link,(dentry, nd),"attempt to
follow symlink");
  if (err)
      goto loop;

By abstracting this with a small set of macros, as someone else has
pointed out, you can then optimize differently on different
architectures. You can also compile with debugging code on or off (and
for debugging etc., make use of __FILE__, __FUNCTION__, __LINE__ macro
definitions by way of small #ifdefs in header code).

Not to mention it means other folk can leverage your initial work to
explore different implementations/or even a rival design for the generic
interface.

Cheers

Andrew

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module