On Tue, Apr 12, 2016 at 4:52 AM, Paolo Abeni <pabeni@xxxxxxxxxx> wrote: > Will be ok if we post a v2 version of this series, removing the hooks > de-registration bits, but preserving the selinux nf-hooks and > socket_sock_rcv_skb() on-demand/delayed registration ? Will that fit > with the post-init read only memory usage that you are planning ? The work Florian and and I were talking about would be limited just to the netfilter hooks, the LSM hooks, e.g. socket_sock_rcv_skb() and friends, would remain as they are today. What what we discussing was defaulting to not registering the netfilter hooks until it became necessary due to a labeled networking configuration or the always_check_network policy capability; the registration of the netfilter hooks would be permanent, you could not unregister the hooks at that point, you would need to reboot. Does that make sense? As far as Casey's concerns, I don't think the work we are talking about for the v2 patchset would have any effect on the socket/sock security blobs as you really can't manage those adequately from the netfilter hooks; you most likely will reference them and perhaps even update the data within, but not allocate or free the blobs. Besides, even in some weird case you were alloc/free'ing security blobs in the netfilter hooks, we can deal with that on a per-LSM basis if/when the full fledged stacking patches are merged; everything we are talking about is a hidden implementation detail so changing it in the future shouldn't be a problem. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
