Re: Last question on rm -f unused_hooks*

• Previous message: Stephen Smalley: "sendfile and file_permission hooks"
• In reply to: Greg KH: "Re: Last question on rm -f unused_hooks*"
• Next in thread: Mike Wray: "Re: Last question on rm -f unused_hooks*"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greg KH wrote:

>My criteria is, that I'm not going to send a patch off, for inclusion in
>the main kernel tree, that contains a hook that is not needed by a
>released, GPLed, module.
>
Thanks. That's what I thought, but it's good to know for sure.

>>I accept that it is the Linux way to remove interfaces that are not 
>>being used. I think it's dumb, but what I think doesn't matter; it's 
>>what will get into the kernel.
>>    
>>
>It's not dumb.  Why would you think it is dumb?  Why would you expect
>people to support interfaces that are not being used?  That's just
>wasteful, and causes unneeded bugs and bloat.
>
I am a big fan of parsimony (ruthless simplicity in design & 
implementation). However, IMHO it's dumb to *blindly* apply a rule of 
"cut anything not presently being used." That's a good guideline, but it 
has to be used in context.

The context here is that we're trying to build an abstract interface 
between the kernel and security modules. But since we don't yet know the 
scope of things people will try to do with the interface, it is 
important that the interface be abstract and regular:

    * anything you can enable you can disable
    * anytime you mediate one kind of object, you should mediate similar
      objects
    * similar objects should all be mediated at the same level
    * etc. etc.

IMHO, at this point in the evolution of the LSM interface "I can't find 
anyone using this hook" should not be sufficient grounds to cut it. 
IMHO, sufficient grounds would be any of the following:

    * No one is using a hook and it is a performance penalty.
    * No one is using a hook and it is uniuqe, i.e. not an abstract dual
      of something that is being used.
    * Regardless of whether someone is using a hook, remove it if the
      thing it is mediating is completely bypassable. Alternative: add
      additional hooks until it is no longer bypassable. Engage brain
      before choosing one or the other :)

Following these guidelines keeps LSM from turning (any more :) into an 
ugly, ad hoc mass of random hooks.

Sure, cut what's not needed. But "no one's using it *yet*" is weak 
evidence for "not needed" in a young interface.

That's my philosophy of design. But since I don't own the code we're 
trying to push into, we have to accomodate the code owners as best we can.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

• application/pgp-signature attachment: stored

• Next message: James Morris: "Re: [RFC] No more module_* hooks"
• Previous message: Stephen Smalley: "sendfile and file_permission hooks"
• In reply to: Greg KH: "Re: Last question on rm -f unused_hooks*"
• Next in thread: Mike Wray: "Re: Last question on rm -f unused_hooks*"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 19:54:12 PDT