Hello. Stephen Smalley wrote: > > Right. Locations of inserting security_path_set()/security_path_clear() pairs > > are subset of mnt_want_write()/mnt_drop_write() pairs. Thus, we can insert > > security_path_set()/security_path_clear() pairs into > > mnt_want_write()/mnt_drop_write() pairs, if we can tolerate performance > > regression. According to our rough measurement, there is about 8 - 22% of > > performance regression. But this approach needs minimum modification to the > > existing kernel (only two hooks to be inserted). > > I assume you also need separate hooks to cover the read-only open case? security_dentry_open() receives "struct file *", so I think we don't need separate hooks for open(O_RDONLY). > As for your performance, your implementation of mp_* is clearly > non-optimal, so I'd expect there is plenty of room for improvement > there. Yes. Thus, I want to pass a caller identifier to mnt_want_write() so that we can skip calculating vfsmount's pathname when it is not interested for a LSM module (e.g. mnt_want_write() called for updating atime/ctime/mtime checks). May I add "int caller_id" to mnt_want_write()? > No #ifdef's within the functions, of course. That gets handled by > security.h. OK. Regards. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
