On Thu, Apr 10, 2025 at 10:15 PM Kees Cook <k...@kernel.org> wrote: > On Thu, Apr 10, 2025 at 06:47:12PM -0400, Paul Moore wrote: > > On Wed, Apr 9, 2025 at 7:13 PM Kees Cook <k...@kernel.org> wrote: > > > Better yet, do this whole thing in a initcall after LSMs are loaded, and > > > both can gain __ro_after_init... > > > > I *really* disliked all the stuff we were having to do during boot, > > and all the redundant global state we were keeping around. I'll go > > ahead and cache the lsm_read() result local to the function but that's > > probably all I'm going to accept at this point in time. > > Oh, for sure. I love that all that can get thrown away. I mean literally > copy/paste what you have in lsm_read() and stick it immediately before > the "lsms are done loading" notifier. Then it only needs to be done > once, it's impossible to race, etc.
Maybe I'll change my mind at some point, but right now I'm feeling pretty strongly against generating the list string at boot. I've added a basic cache protected by a dumb spinlock in lsm_read which should work. -- paul-moore.com
