Re: A basic question about the security_* hooks
From: Tetsuo Handa
Date: Thu Dec 24 2009 - 16:55:24 EST
Eric W. Biederman wrote:
> My immediate impression is that the big limitation today is the
> sharing of the void * security data members of strucutres.
I think the time to change "void * security" is approaching.
What about allocating dedicated "void *" for each in-tree security modules and
let proposed security modules use "void * security" so that proposed security
modules can be evaluated without allocating dedicated "void *", something like
struct foo {
...
#ifdef CONFIG_SECURITY_SELINUX
void *selinux;
#endif
#ifdef CONFIG_SECURITY_SMACK
void *smack;
#endif
#ifdef CONFIG_SECURITY_PROPOSED
void *security
#endif
}
struct bar {
...
#ifdef CONFIG_SECURITY_SELINUX
void *selinux;
#endif
#ifdef CONFIG_SECURITY_PROPOSED
void *security
#endif
}
?
Regarding TOMOYO, "void * security" automatically added to many structure is
nothing but waste of memory because TOMOYO don't need "void * security" except
"struct task_struct".
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/