On 10/9/2019 5:40 PM, Joel Fernandes wrote: > On Wed, Oct 09, 2019 at 03:41:56PM -0700, Casey Schaufler wrote: >> On 10/9/2019 3:14 PM, James Morris wrote: >>> On Wed, 9 Oct 2019, Casey Schaufler wrote: >>> >>>> Please consider making the perf_alloc security blob maintained >>>> by the infrastructure rather than the individual modules. This >>>> will save it having to be changed later. >>> Is anyone planning on using this with full stacking? >>> >>> If not, we don't need the extra code & complexity. Stacking should only >>> cover what's concretely required by in-tree users. >> I don't believe it's any simpler for SELinux to do the allocation >> than for the infrastructure to do it. I don't see anyone's head >> exploding over the existing infrastructure allocation of blobs. >> We're likely to want it at some point, so why not avoid the hassle >> and delay by doing it the "new" way up front? >> > I don't see how it can be maintained by the users (assuming you meant > infrastructure as perf_event subsystem). No, I meant allocated in security.c. Look at how file blobs are allocated. > The blob contains a SID which as far > as I know, is specific to SELinux. Do you have an in-tree example of this? > > Further, this is also exactly it is done for BPF objects which I used as a > reference. There's no real harm in doing it that way, just that it is a change that I'll have to make at some point in the future* and it would be really nice if I didn't have to. > thanks, > > - Joel ----- * When? After I get the current AppArmor/SELinux stacking enabling in and can get to the Smack backlong, which includes BPF and perf_events.
