On 5/31/2023 2:10 PM, Paul Moore wrote: > On Wed, May 31, 2023 at 10:00 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >> On 5/31/2023 4:05 AM, GONG, Ruiqi wrote: >>> As the security infrastructure has taken over the management of multiple >>> *_security blobs that are accessed by multiple security modules, and >>> sk->sk_security shares the same situation, move its management out of >>> individual security modules and into the security infrastructure as >>> well. The infrastructure does the memory allocation, and each relavant >>> module uses its own share. >> Do you have a reason to make this change? The LSM infrastructure >> manages other security blobs to enable multiple concurrently active >> LSMs to use the blob. If only one LSM on a system can use the >> socket blob there's no reason to move the management. > I think an argument could be made for consistent handling of security > blobs, but with the LSM stacking work in development the argument for > merging this patch needs to be a lot stronger than just "consistency". I'm betting that someone has an out-of-tree LSM that uses a socket blob, and that the intended use case includes stacking with one of the "major" LSMs. I would encourage that someone to propose that LSM for upstream.