Re: [PATCH] LSM: Infrastructure management of the sock

From: Casey Schaufler
Date: Wed May 31 2023 - 17:47:07 EST

On 5/31/2023 2:10 PM, Paul Moore wrote:
> On Wed, May 31, 2023 at 10:00 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>> On 5/31/2023 4:05 AM, GONG, Ruiqi wrote:
>>> As the security infrastructure has taken over the management of multiple
>>> *_security blobs that are accessed by multiple security modules, and
>>> sk->sk_security shares the same situation, move its management out of
>>> individual security modules and into the security infrastructure as
>>> well. The infrastructure does the memory allocation, and each relavant
>>> module uses its own share.
>> Do you have a reason to make this change? The LSM infrastructure
>> manages other security blobs to enable multiple concurrently active
>> LSMs to use the blob. If only one LSM on a system can use the
>> socket blob there's no reason to move the management.
> I think an argument could be made for consistent handling of security
> blobs, but with the LSM stacking work in development the argument for
> merging this patch needs to be a lot stronger than just "consistency".

I'm betting that someone has an out-of-tree LSM that uses a socket blob,
and that the intended use case includes stacking with one of the "major"
LSMs. I would encourage that someone to propose that LSM for upstream.