On Fri, 18 Oct 2002 18:53, Greg KH wrote: > Now there is no size impact, and no performance impact if you disable > the config option (which is the default right now!) I'm all for > dropping the syscall too, if the SELinux people, or someone else doesn't > speak up as to why they really need it. The hooks have a real design > and purpose, as we've constantly pointed out in our documentation, and > they have been validated by others in their USENIX papers. I don't speak for the people who write the SE Linux kernel code. But at the moment I am doing a good chunk of the user-land SE Linux work and the vast majority of distribution packaging work, so a large amount of the pain of converting from a single LSM syscall to multiple syscalls would be for me. For me having separate syscalls for all the SE functions will be OK just as long as we get all the syscalls that are needed and that it's not excessively painful to get new ones if we need more functionality. However given some of the recent comments having a multiplex syscall seems like a safer option (then no-one can restrict how many syscalls we get). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 10:07:20 PDT