-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Am 27.03.2014 13:46, schrieb Thomas Bächler: > Do you even know what that means? If I see this right, every time > the kernel needs to do some permission check, it needs to ask "are > we using LSM xyz?". In any case, it's more code and thus more room > for failure. Not necessarily, i do not know the code of all the policy enforcement points, but if you have a function pointer to the policy decision function, you only have to query this function. So if you enable SELinux, you let the pointer point to the SELinux function. Maybe you don't understand what i mean because of my bad english, here an example code: int (*func)( char *arg, ... ); int SELinux_pdp( char *arg, ... ) { Code } int pdp( char *arg, ... ) { Code } if( SELinux ) { func = &SELinux_pdp; } else { func = &pdp; } So you only have to call func( arg, ... ) and test the returned value. Besides that, i'd prefer a smaller kernel, too. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlM0NKkACgkQkr64biT2RYQzegD+MU+yBgTPoIA0RB9CH9l2CFpp dEEGg5FfYVdodSYtAGsA/jOmUhnz+DvogZDYVHpsPmjObexou6qcGRpJPMxIL8jK =igbX -----END PGP SIGNATURE-----