On 7/25/2021 9:25 AM, Florian Westphal wrote: > Paul Moore <paul@xxxxxxxxxxxxxx> wrote: >>> There is the skb extension infra, does that work for you? >> I was hopeful that when the skb_ext capability was introduced we might >> be able to use it for the LSM(s), but when I asked netdev if they >> would be willing to accept patches to leverage the skb_ext >> infrastructure I was told "no". > I found > > https://lore.kernel.org/netdev/CAHC9VhSz1_KA1tCJtNjwK26BOkGhKGbPT7v1O82mWPduvWwd4A@xxxxxxxxxxxxxx/#r > > and from what I gather from your comments and that of Casey > I think skb extensions is the correct thing for this (i.e., needs > netlabel/secid config/enablement so typically won't be active on > a distro kernel by default). RedHat and android use SELinux and will want this. Ubuntu doesn't yet, but netfilter in in the AppArmor task list. Tizen definitely uses it with Smack. The notion that security modules are only used in fringe cases is antiquated. > It certainly makes more sense to me than doing lookups > in a hashtable based on a ID Agreed. The data burden required to support a hash scheme for the security module stacking case is staggering. > (I tried to do that to get rid of skb->nf_bridge > pointer years ago and it I could not figure out how to invalidate an entry > without adding a new skb destructor callback).
