Re: A basic question about the security_* hooks

[Tetsuo Handa]

Eric W. Biederman wrote:
> My immediate impression is that the big limitation today is the
> sharing of the void * security data members of strucutres.

I think the time to change "void * security" is approaching.

What about allocating dedicated "void *" for each in-tree security modules and
let proposed security modules use "void * security" so that proposed security
modules can be evaluated without allocating dedicated "void *", something like

  struct foo {
      ...
  #ifdef CONFIG_SECURITY_SELINUX
    	void *selinux;
  #endif
  #ifdef CONFIG_SECURITY_SMACK
  	void *smack;
  #endif
  #ifdef CONFIG_SECURITY_PROPOSED
  	void *security
  #endif
  }
  
  struct bar {
      ...
  #ifdef CONFIG_SECURITY_SELINUX
  	void *selinux;
  #endif
  #ifdef CONFIG_SECURITY_PROPOSED
  	void *security
  #endif
  }

?

Regarding TOMOYO, "void * security" automatically added to many structure is
nothing but waste of memory because TOMOYO don't need "void * security" except
"struct task_struct".
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/