Re: [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper
From: James Morris
Date: Fri May 18 2018 - 12:17:59 EST
On Thu, 17 May 2018, Eric W. Biederman wrote:
> Nacked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
>
> Nack on this sharing nonsense. These two interfaces do not share any
> code in their implementations other than the if statement to distinguish
> between the two cases.
Hmm, it's not even doing that.
There's already an if(!file && read_id == X) { } check and this is another
one being added.
> If we want comprehensible and maintainable code in the security modules
> we need to split these two pieces of functionality apart.
All ima_read is doing in both the old and new case is checking if there's
no file then if it's a certain operation, returning an error.
To echo Eric and Casey's suggestions, how about changing the name of the
hook to security_kernel_read_data() ?
Then ima_read_file() can be changed to ima_read_data(), and then instead
of two if (!file && read_id == X) checks, have:
if (!file) {
switch (read_id) {
}
}
--
James Morris
<jmorris@xxxxxxxxx>