--- James Morris <[EMAIL PROTECTED]> wrote: > On Thu, 9 Aug 2007, David Howells wrote: > > > James Morris <[EMAIL PROTECTED]> wrote: > > > > > David, I've looked at the code and can't see that you need to access the > > > label itself outside the LSM. Could you instead simply pass the inode > > > pointer around? > > > > It's not quite that simple. I need to impose *two* security labels in > > cachefiles_begin_secure() when I'm about to act on behalf of a process > that's > > tried to access a netfs file: > > Ah ok, we had a similar problem with NFS mount options. > > While I'm concerned about encoding SELinux-optimized secid labels into > general kernel structures, moving to more generalized pointers introduces > lifecycle maintenance issues and complexity which is not needed in the > mainline kernel. i.e. it'll be unused infrastructure maintained by > upstream, and used only by out-of-tree modules. > > So, given that the kernel has no stable API, I suggest accepting the u32 > secid as you propose, and if someone wants to merge a module which also > uses these hooks, but is entirely unable to use u32 labels, then they can > also justify making the interface more generalized and provide the code > for it.
Grumble. Yet another thing to undo in the near future. I still hope to suggest what I would consider a viable alternative "soon". Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
