[RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
Mimi Zohar
zohar at linux.vnet.ibm.com
Thu Jan 21 13:15:02 PST 2016
On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote:
> On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote:
> > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the
> > module, firmware, and kexec pre and post security hooks and have just
> > one set of pre and post security kernel_read_file hook instead? Does
> > it make sense for this patch set to define the new hooks to allow the
> > LSMs to migrate to it independently of each other?
>
> Well, as usual, the easiest way to both get solid feedback and actually get a
> change accepted is to post patches to the affected LSMs. Probably not what
> you wanted to hear, but at least I'm honest :)
Unless I'm misreading the code, it might be a lot simpler than I
thought. Of the three LSM hooks kernel_module_request,
kernel_module_from_file, and kernel_fw_from_file, the only upstreamed
LSM on any of these hooks is SELinux, which is only on the
kernel_module_request hook.
After converting the SELinux kernel_module_request hook to use the new
kernel_read_file(), do I then remove the three hooks? Are we
concerned about "minor" LSMs that have not been upstreamed that might be
using these hooks?
Mimi
More information about the kexec
mailing list