* James Morris (jmorrisat_private) wrote: > On Thu, 27 Jun 2002, Seth Arnold wrote: > > > Chris offfers a beer to whoever can come up with a slick solution so > > that module authors don't have to define functions they don't care > > about. > > I think this can be done relatively simply once the hooks are flattened > out (I looked at this some months ago, and managing the double pointers > was the only problem, IIRC). the main thing i want to avoid is fooling the module into thinking it has filled in all callbacks when defaults are automagically used. > > We will need to flatten the security structure; who wants grunt work? > > > > If nobody else is planning to do this, I should be able to have a look at > this and the issue above sometime over the next week or so. > > Also, while thinking about a way to enable the netfilter IP hooks to be > registered dynamically by modules, it ocurred to me that it would be > simpler, faster and more flexible to actually remove these hooks from LSM > and let modules register netfilter hooks directly as required. A dynamic > registration interface would add more complexity to LSM, and may involve > further performance hits to modules which use the hooks. The more > lightweight we can make LSM the better, and direct netfilter registration > would allow modules to use exactly the hooks/priorities they need, rather > than the current defaults which probably don't suit anyone perfectly > anyway. I do like the idea of allowing the module to chose the priorities, and see no reason not to just use netfilter directly. The only disadvantage I see is the explicit correlation between LSM and netfilter is hidden. cheers, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Jun 29 2002 - 08:45:06 PDT