* jmjonesat_private (jmjonesat_private) wrote: > > I still don't think it's necessary to be able to extricate LSM *if* it is > part of the actual kernel tree. The cost for the dummy calls is just not > that high (a sign, IMHO, that the "minimal impact" objective has been well > addressed.) They also are located in many interesting spots, and may have > uses other than the claimed purpose. you can be sure some people will complain about any negative impact. we may be sold that lsm overhead is not unreasonable, but if the overhead becomes an issue for acceptance we will have to address it. > On a more hopefully helpful note, would it be acceptable to build a > conditional that converts the hooks containing logic in the dummy/capable > module to direct calls to the relocated code in one swoop DIRECTLY, > without the indirection of the security_ops structure, or is it > necessary to put that logic BACK on the "flip of a switch."? > > #ifndef LSM_OUT > #then > hook(...) > #else > cap_hook(...) > #endif this is what i was talking about. this is less trivial than lsm on/off because it has dependencies on the capabilities module code. it isn't the end of the world, it's just more difficult to get right, that's all. ;-) -chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 14:07:38 PDT