On Wed, May 25, 2005 at 10:13:12PM -0400, James Morris wrote: > > But the LSM hooks aren't going to just dissapear. Under what you propose they > > will be replaced by other SELinux specific calls. How does this change the > > impact to core/other kernel maintainers when they make changes? They are > > still going to be faced with making changes near call points whose purpose > > they may not be overly familiar with. > > That's a good point. Yes, the SELinux specific calls would still be > there. > > The differences for cor maintainers would be: > > a) Clearer semantics, i.e. being able to trace the flow directly into the > SELinux code and be able to see exactly what's happening. Sure, but the core developers have to work around such issues with VFS, networking and many other function-pointer based interfaces. I can read/understand what you are saying, that in your opinion only intree LSM modules count and of those SELinux is the only one of any meaning and therefore the cost of a function pointer interface is not acceptable since there is only one true lsm module (again in your opinion). > Possibly there's some confusion because Linux does not have any real I don't think there is confusion, just disagreement :-) We don't agree over the purpose of the LSM interface. I don't agree that it's purpose is to solely enable intree modules. > The only guaranteed kernel interface is the syscall layer. What, SELinux can't replace it too. Kidding :-) Tony
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 19:35:49 PDT