On Wed, Oct 09, 2019 at 03:41:56PM -0700, Casey Schaufler wrote: > On 10/9/2019 3:14 PM, James Morris wrote: > > On Wed, 9 Oct 2019, Casey Schaufler wrote: > > > >> Please consider making the perf_alloc security blob maintained > >> by the infrastructure rather than the individual modules. This > >> will save it having to be changed later. > > Is anyone planning on using this with full stacking? > > > > If not, we don't need the extra code & complexity. Stacking should only > > cover what's concretely required by in-tree users. > > I don't believe it's any simpler for SELinux to do the allocation > than for the infrastructure to do it. I don't see anyone's head > exploding over the existing infrastructure allocation of blobs. > We're likely to want it at some point, so why not avoid the hassle > and delay by doing it the "new" way up front? > I don't see how it can be maintained by the users (assuming you meant infrastructure as perf_event subsystem). The blob contains a SID which as far as I know, is specific to SELinux. Do you have an in-tree example of this? Further, this is also exactly it is done for BPF objects which I used as a reference. thanks, - Joel
