On Mon, 2008-08-18 at 17:15 +0100, Alan Cox wrote:read -> we have the ALLOW/mark result bit in core set so just allow.
Don't think we need this - SELinux can do that bit
mtime update -> clear ALLOW/"mark result" bit in core, send async
notification to userspace
Why via the kernel ?
the single in core allow/deny bit is so that the vast majority of
operations are completely free. Say we scan/index /lib/ld-linux.so.2
once. Do you really want every single read/mmap operation from then on
to have to block waiting for the userspace caches of you HSM, your AV
scanner, and you indexer? If all three tell the kernel they don't need
to see it again and that information is easy and free to maintain, lets
do it.