On Thu, Aug 22, 2019 at 3:03 AM Florian Westphal <fw@xxxxxxxxx> wrote: > Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > Hello netdev, > > > > I was just made aware of the skb extension work, and it looks very > > appealing from a LSM perspective. As some of you probably remember, > > we (the LSM folks) have wanted a proper security blob in the skb for > > quite some time, but netdev has been resistant to this idea thus far. > > Is that "blob" in addition to skb->secmark, or a replacement? That's a good question. While I thought about that, I wasn't sure if that was worth bringing up as previous attempts to trade the secmark field for a void pointer met with failure. Last time I played with it I was able to take the additional 32-bits from holes in the skb, and possibly even improve some of the cacheline groupings (but that is always going to be a dependent on use case I think), but that wasn't enough. I think we could consider freeing up the secmark in the main skb, and move it to a skb extension, but this would potentially increase the chances that we would need to add an extension to a skb. I don't have any hard numbers, but based on discussions and questions I suspect Secmark is more widely used than NetLabel and/or labeled IPsec; although I'm confident it is still a minor percentage of the overall Linux installed base. For me the big question is what would it take for us to get a security blob associated with the skb? Would moving the secmark into the skb extension be enough? Something else? Or is this simply never going to happen? I want to remain optimistic, but I've been trying for this off-and-on for over a decade and keep running into a brick wall ;) -- paul moore www.paul-moore.com
