On 1/19/2023 8:36 PM, Kees Cook wrote:
> On Fri, Jan 20, 2023 at 01:08:17AM +0100, KP Singh wrote:
>> The indirect calls are not really needed as one knows the addresses of
>> enabled LSM callbacks at boot time and only the order can possibly
>> change at boot time with the lsm= kernel command line parameter.
>>
>> ...
> Then these replacements don't look weird. This would just be:
>
> security_for_each_hook(scall, vm_enough_memory) {
> rc = scall->hl->hook.vm_enough_memory(mm, pages);
> if (rc <= 0) {
> cap_sys_admin = 0;
> break;
> }
> }
That's a whole lot easier to swallow than what was originally proposed.
>
> I'm excited to have this. The speed improvements are pretty nice.
>
