Re: [PATCH] remove sys_security

From: David S. Miller (davemat_private)
Date: Thu Oct 17 2002 - 13:38:16 PDT

  • Next message: Greg KH: "Re: [PATCH] remove sys_security"

       From: Greg KH <gregat_private>
       Date: Thu, 17 Oct 2002 13:36:52 -0700
       > Are the LSM modules that exist now using portable types in the objects
       > passed into sys_security?  Note that pointers and things like "long"
       > are not allowed as types, for example, those would need to be translated.
       Yes, you are correct, they better be implemented properly, or they will
       not work.
    How am I supposed to know what the things are being passed in
    via these opaque "unsigned long" parameters?
    Could they be pointers?  If so, game over already, and this needs
    to be fixed NOW.
       And (ignoring the network hooks) there is not a measurable overhead for
       these hooks.  We have documented this many times (OLS paper, USENIX
       paper, etc.)  With the patch I'm about to submit, disabling the option
       makes them go away entirely.
    Look at the code that gets output, look at the 32K of kernel image
    I get even though I have no intention of _ever_ loading a security
    So if distribution makers enable CONFIG_SECURITY, EVERY USER eats
    this 32K.  That _SUCKS_.
    And I severely contest your overhead argument, look at the assembler
    code being output, the kernel parts where the hooks are placed are
    different.  Lots of places that used to be leaf functions are no
    longer leaf functions due to the security_ops invocation being there
    now.  Register allocation is also going to be quite different
    In short, it's bloat, and if you refuse to realize that perhaps kernel
    development is not your true calling in life :-)
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 13:46:59 PDT