On Fri, Dec 8, 2023 at 1:22 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > On Fri, Dec 08, 2023 at 12:55:16PM -0500, Paul Moore wrote: > > On Fri, Dec 8, 2023 at 12:46 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > On Fri, Dec 8, 2023 at 12:36 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > > On Fri, Nov 10, 2023 at 11:20:37PM +0100, KP Singh wrote: > > > > > [...] > > > > > --- > > > > > security/Kconfig | 11 +++++++++++ > > > > > 1 file changed, 11 insertions(+) > > > > > > > > Did something go missing from this patch? I don't see anything depending > > > > on CONFIG_SECURITY_HOOK_LIKELY (I think this was working in v7, though?) > > > > I guess while I'm at it, and for the sake of the mailing list, it is > > worth mentioning that I voiced my dislike of the > > CONFIG_SECURITY_HOOK_LIKELY Kconfig option earlier this year yet it > > continues to appear in the patchset. It's hard to give something > > priority when I do provide some feedback and it is apparently ignored. > > The CONFIG was created specifically to address earlier concerns about > not being able to choose whether to use this performance improvement. :P > What's the right direction forward? Are you honestly uncertain after our discussions today? I'll be honest and say that I'm a little confused as I thought I made it very clear when I told you to just be patient off-list, and reminded you in this thread that the patchset was in my review queue and I will get to it once it bubbles to the top. I don't know what else to say here ... ? As far as the CONFIG_SECURITY_HOOK_LIKELY patch, looking back at my comments from September [1] there is a clear statement that I am not in favor of this patch along with a brief explanation as to why: "I'm not in favor of adding a Kconfig option for something like this. If you have an extremely well defined use case then you can probably do the work to figure out the "correct" value for the tunable, but for a general purpose kernel build that will have different LSMs active, a variety of different BPF LSM hook implementations at different times, etc. there is little hope to getting this right." ... and that was back when the knob actually did something, as you pointed out in this thread, the v8 version of this patch doesn't appear to do anything, which is really baffling and not a good sign. As far as what to do about this patch, in our off-list discussion I asked you and KP to refrain from respinning the patchset just to get rid of this patch, but keep it in mind for future submissions. Hopefully by repeating the important bits of the conversation you now understand that there is nothing you can do at this moment to speed my review of this patchset, but there are things you, and KP, can do in the future if additional respins are needed. However, if you are still confused, it may be best to go do something else for a bit and then revisit this email because there is nothing more that I can say on this topic at this point in time. [1] https://lore.kernel.org/linux-security-module/CAHC9VhSSX0KRuWRURUmt2tUis6fbbmozUbcoeAPkLRmfR2jqAg@xxxxxxxxxxxxxx/ -- paul-moore.com
