Re: Design scope of a security policy module

From: Greg KH (gregat_private)
Date: Mon Nov 04 2002 - 10:53:46 PST

  • Next message: Chris Wright: "Re: Design scope of a security policy module"

    On Mon, Nov 04, 2002 at 06:51:05PM +0000, Henrý Þór Baldursson wrote:
    > 	Writing something like a file verdict cache isn't the problem. The
    > cache could be a finite size array of pointers. On open() and read()
    > calls, the cache would be checked, to see if this file has been given a
    > verdict, if not, a verification callback function would be called on it
    > to supply us with a verdict and a cache entry. Any write() calls would
    > expunge files from this cache entry. 
    
    I'm guessing that any overhead of trying to cache this info, and check
    the cache for any previous results, and catch for any changed process
    information (remember processes can pass file handles around), would be
    equal to (if not take up more memory than) just doing the check in the
    first place.
    
    > 	Anyone out there like that idea? If so then I'll consider devising a
    > prototype.
    
    Whip up a prototype as that's the best thing to try to understand what
    you are proposing here.
    
    thanks,
    
    greg k-h
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Nov 04 2002 - 10:58:36 PST