On Thu, May 30, 2019 at 8:07 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > ... And lastly, it looks like lsm > notifiers are atomic notifiers (not clear to me why) so you can't block > in the callback, thereby requiring scheduling the work as is done in > infiniband. I'm not sure though why we can't make the lsm notifiers > blocking notifiers. The only callers of call_lsm_notifier() are > sel_write_enforce() and selinux_lsm_notifier_avc_callback(), called from > avc_ss_reset(), called from sel_write_enforce(), security_load_policy() > and security_set_bools(), all outside of locks and in process context > AFAICS. Off the top of my head I don't recall why the atomic notifiers were chosen over the blocking notifiers; it may simply be an artifact of an interim patch that was changed. Regardless, I have no problem if we switch to using blocking notifiers. However, if we are changing it now it might be a good idea to also add a "block"/"blocking" somewhere in the lsm_notifier functions' name to make the change obvious and to help make it easier if we ever need to add atomic notifier support in the future. -- paul moore www.paul-moore.com
