On Thu, 9 Aug 2007, David Howells wrote: > James Morris <jmorris@xxxxxxxxx> wrote: > > > David, I've looked at the code and can't see that you need to access the > > label itself outside the LSM. Could you instead simply pass the inode > > pointer around? > > It's not quite that simple. I need to impose *two* security labels in > cachefiles_begin_secure() when I'm about to act on behalf of a process that's > tried to access a netfs file: Ah ok, we had a similar problem with NFS mount options. While I'm concerned about encoding SELinux-optimized secid labels into general kernel structures, moving to more generalized pointers introduces lifecycle maintenance issues and complexity which is not needed in the mainline kernel. i.e. it'll be unused infrastructure maintained by upstream, and used only by out-of-tree modules. So, given that the kernel has no stable API, I suggest accepting the u32 secid as you propose, and if someone wants to merge a module which also uses these hooks, but is entirely unable to use u32 labels, then they can also justify making the interface more generalized and provide the code for it. - James -- James Morris <jmorris@xxxxxxxxx> - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
