On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote: > On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote: > > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the > > module, firmware, and kexec pre and post security hooks and have just > > one set of pre and post security kernel_read_file hook instead? Does > > it make sense for this patch set to define the new hooks to allow the > > LSMs to migrate to it independently of each other? > > Well, as usual, the easiest way to both get solid feedback and actually get a > change accepted is to post patches to the affected LSMs. Probably not what > you wanted to hear, but at least I'm honest :) Unless I'm misreading the code, it might be a lot simpler than I thought. Of the three LSM hooks kernel_module_request, kernel_module_from_file, and kernel_fw_from_file, the only upstreamed LSM on any of these hooks is SELinux, which is only on the kernel_module_request hook. After converting the SELinux kernel_module_request hook to use the new kernel_read_file(), do I then remove the three hooks? Are we concerned about "minor" LSMs that have not been upstreamed that might be using these hooks? Mimi
