On Tuesday, June 25, 2013 04:53:02 PM Casey Schaufler wrote: > On 6/25/2013 2:18 PM, Paul Moore wrote: > > Nothing new here, all of these patches have been posted before. I'm > > > > posting these patches again for two reasons: > > 1. Remind Eric he still hasn't merged them into the SELinux tree > > 2. Send notice that I've pushed the patches to my -next tree so > > they should be in the next spin of linux-next > > > > I was hoping that there patches would have hit linux-next by now via > > the SELinux tree but that hasn't happened so I'm going to do it via > > my labeled networking tree (all the patches are labeled networking > > related anyway). > > No objection from this end, but I'm curious about the motivation > for the changes as they affect the LSM interface. I assume you are talking about patch 2/9? I guess first things first, the changes don't affect how the rest of the kernel sees the LSM, only how an individual LSM is implemented. If you look at the pre-patch LSM hook implementation for security_xfrm_state_alloc() and security_xfrm_state_alloc_acquire() you notice that they share a common LSM- specific implementation function, xfrm_state_alloc_security(), which takes different arguments depending on the LSM hook. If you look at how SELinux implements this function (SELinux is the only example available that uses this hook) you will notice that there the behavior varies quite a bit depending on the LSM hook caller; in reality, the function is much cleaner and simpler if we split it so that we have one hook implementation for each LSM hook - like pretty much everything else in the LSM. -- paul moore security and virtualization @ redhat -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
