Quoting Valdis.Kletnieks@private (Valdis.Kletnieks@private): > On Tue, 30 Nov 2004 11:00:36 CST, "Serge E. Hallyn" said: > For that matter, are there any existing cases where a module *cares* if it's > primary or secondary (as in "returns different results based *only* on its own > status as primary/secondary, with *NO* regard as to what the "other" module > is"?) I guess that's what Chris was getting at :) > I can see where an LSM *might* want to do something like "return A if we > also have SELinux loaded, but do B otherwise". For instance, we recently had > a discussion about an OpenWall-ish LSM I have, where we decided that most of > the function was also doable in SELinux - in a case like that, my code could > very well want to defer to SELinux if present, but apply its check otherwise. > Testing for if my code is primary or secondary is *wrong* - the fact I'm > a secondary is *not* identically equal to selinux running - I *could* be > secondary to a LIDS or something else.... > > That raises a performance question - if a "is FOO loaded" function is > provided, can we do it with very low overhead (so it's called each time), > or do we need to provide a "FOO is loading/FOO is unloading" notification > to other LSM's that might care? I know of a team which has two modules, which must behave differently based on whether both are loaded, a condition which of course can/will change. I think it would be reasonable for stacker to implement a notifier_chain to support such cases. Combined with a "lsm_is_loaded()" function, which of course would be called only once upon module load, the functionality you want should be trivial to implement in your module (and in that other pair of modules I've heard about). Does anyone think this is overkill? thanks, -serge
This archive was generated by hypermail 2.1.3 : Tue Nov 30 2004 - 10:29:48 PST