On Fri, Feb 10, 2023 at 6:21 PM Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> wrote: > On Tue, Jan 31, 2023 at 04:49:44PM +0100, Roberto Sassu wrote: > > On Mon, 2023-01-30 at 14:57 -0800, Fan Wu wrote: > > > From: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx> > > > > > > IPE must have a centralized function to evaluate incoming callers > > > against IPE's policy. This iteration of the policy against the rules > > > for that specific caller is known as the evaluation loop. > > > > Not sure if you check the properties at every access. > > > > >From my previous comments (also for previous versions of the patches) > > you could evaluate the property once, by calling the respective > > functions in the other subsystems. > > > > Then, you reserve space in the security blob for inodes and superblocks > > to cache the decision. The format could be a policy sequence number, to > > ensure that the cache is valid only for the current policy, and a bit > > for every hook you enforce. > > Thanks for raising this idea. I agree that if the property evaluation > leads to a performance issue, it will be better to cache the evaluation > result. But for this version, all the property evaluations are simple, > so it is just as fast as accessing a cache. Also, for the initial > version we prefer to keep the patch as minimal as possible. FWIW, I think that is the right decision. Keeping the initial submission relatively small and focused has a lot of advantages when it comes both to review and prematurely optimizing things that might not need optimization. -- paul-moore.com
