[...] > > +config SECURITY_HOOK_LIKELY > > + bool "LSM hooks are likely to be initialized" > > + depends on SECURITY > > + default y > > + help > > + This controls the behaviour of the static keys that guard LSM hooks. > > + If LSM hooks are likely to be initialized by LSMs, then one gets > > + better performance by enabling this option. However, if the system is > > + using an LSM where hooks are much likely to be disabled, one gets > > + better performance by disabling this config. > > Since you described the situations where it's a net benefit, this could > be captured in the Kconfig too. How about this, which tracks the "major" > LSMs as in the DEFAULT_SECURITY choice: > > depends on SECURITY && EXPERT > default BPF_LSM || SECURITY_SELINUX || SECURITY_SMACK || SECURITY_TOMOYO || SECURITY_APPARMOR\ I think for BPF_LSM the option would not be y. But yeah I like this suggestion. > > > -- > Kees Cook
