Re: [PATCH] lsm stacking through chaining

From: Chris Wright (chrisw@private)
Date: Thu Nov 11 2004 - 22:35:08 PST

* Serge E. Hallyn (serue@private) wrote:
> Attached is a new implementation of the lsm stacking through chaining.
> This one is a little more intricate than the last, in that it is enabled
> when the stacker module is compiled in, but can otherwise be compiled out.

Hmm, I'm not convinced that's a great idea.

> The attached lmbench numbers show that the fedora setup of selinux +
> capabilities compiled in (and no stacker module) does not slow down at
> least this benchmark.  Using the same modules but through stacker fares
> a bit worse.

I'd hope that w/out stacker (with this configurable setup) the config'd
off it should completely go away.  I'll have to look closer, but I wonder
what it would look like with it unconditionally enabled, yet not used (in
the SELinux case)?

> Attached are the following files:
> lsm-chain.patch: implements the CONFIG-dependent use of hlist_heads for
> 	kernel object security structs.

This worries me.  Especially with security_t being conditionally defined
to two different datatypes.  I think that would be rejected.

Linux Security Modules

This archive was generated by hypermail 2.1.3 : Thu Nov 11 2004 - 22:35:16 PST