Re: [PATCH] builtin stack support

• Previous message: Greg KH: "Re: [PATCH] builtin stack support"
• In reply to: Greg KH: "Re: [PATCH] builtin stack support"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greg KH wrote:

>On Fri, Jun 20, 2003 at 09:50:51PM +0200, Bastian Blank wrote:
>  
>
>>hi folks
>>    
>>
>I'd suggest CC: the lsm mailing list, they might have some comments
>about this.
>
FYI, Chris Wright (one of the main LSM developers) left for a week's 
vacation today. This patch appears to be a major change in how LSM 
works, and I suspect Chris will want some time to consider it. So don't 
be terribly surprised if not much happens until June 30.

However, Chris also told me that he took his laptop with him. He might 
choose to take some of his vacation time to look at this.

>>- if the modules don't define a function, the call always travers
>>  through the stack until it hits the dummy module
>>- more pointer needs to be dereferences, more parameter
>>    
>>
>How does the performance of this work out, if you only have 1 security
>module?  In my opinion, preformance should not drop, unless you want to
>stack modules.
>
I agree with Greg. We deliberately did not design in explicit support. 
The priority scheme was:

   1. Have the least impact possible on kernels not using modules.
   2. Have the best performance possible for a single module.
   3. Push work for stacking modules onto module writers who want to stack.


>And did you see the previous stacker lsm module?  What advantage does
>this patch over that one?
>
The problem with module composition is that it is sometimes straight 
forward, but often problematic, and in some cases impossible. You 
*cannot* provide support for module composition in the general case; at 
best it will work sometimes. Wheeler's existing Stacker module 
encapsulates the logistics for supporting module composition in the 
simple cases, and module writers *need* to hack it themselves in the 
harder cases.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Administratorat_private: "[MailServer Notification]To Recipient virus found and action taken."
• Previous message: Greg KH: "Re: [PATCH] builtin stack support"
• In reply to: Greg KH: "Re: [PATCH] builtin stack support"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 20 2003 - 17:49:01 PDT