Re: Early initialization of security modules

From: Stephen Smalley (sdsat_private)
Date: Mon Sep 30 2002 - 11:38:19 PDT

  • Next message: Chris Wright: "Re: [RFC] No more module_* hooks"

    On Mon, 30 Sep 2002, Greg KH wrote:
    > Why not just use the existing _initcall levels instead of creating a new
    > one?  Isn't one of them early enough for security modules to use?
    Some security modules (like SELinux) want to initialize before any
    security hooks would be called, just as you presently initialize the
    security framework via security_scaffolding_startup() in start_kernel() in
    init/main.c.  Otherwise, we have to provide some mechanism for handling
    kernel objects allocated before SELinux has initialized, like the
    precondition functions (which make it very difficult to reason about
    control flow and locking issues) or explicitly locating all such objects
    during module initialization (which isn't always feasible).
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 11:39:26 PDT