On 2023/12/09 7:05, Kees Cook wrote:
> Okay, I understand now. Sorry for frustrating you! By "way forward",
> I meant I didn't understand how to address what looked like conflicting
> feedback. I think my confusion was over separating the goal ("this
> feature should be automatically enabled when it is known to be useful")
> from an interpretation of earlier feedback as "I don't want a CONFIG [that
> leaves this up to the user]", when what you really wanted understood was
> "I don't want a CONFIG *ever*, regardless of whether it picks the correct
> setting automatically".
Is it possible to change the direction from "call all individual callbacks from security/security.c"
to "call next callback at end of current callback if current callback succeeded and next callback is
defined, and security/security.c calls only the first callback"
( https://lkml.kernel.org/r/38b318a5-0a16-4cc2-878e-4efa632236f3@xxxxxxxxxxxxxxxxxxx ),
something like
static int module_specific_some_ops(args) {
if (logic_for_this_module(arg)) {
return -EPERM;
}
return 0;
}
static int autogenerated_some_ops(args) {
int ret = module_specific_some_ops(args);
if (ret == 0) {
ret = static_call(next_registered_hook)(args);
}
return ret;
}
and let LSM_HOOK_INIT() macro generate autogenerated_some_ops() part ?
