[RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version

Mimi Zohar zohar at linux.vnet.ibm.com
Thu Jan 21 13:15:02 PST 2016


On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote:
> On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote:
> > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the
> > module, firmware, and kexec pre and post security hooks and have just
> > one set of pre and post security kernel_read_file hook instead?   Does
> > it make sense for this patch set to define the new hooks to allow the
> > LSMs to migrate to it independently of each other?
> 
> Well, as usual, the easiest way to both get solid feedback and actually get a 
> change accepted is to post patches to the affected LSMs.  Probably not what 
> you wanted to hear, but at least I'm honest :)

Unless I'm misreading the code, it might be a lot simpler than I
thought.  Of the three LSM hooks kernel_module_request,
kernel_module_from_file, and kernel_fw_from_file, the only upstreamed
LSM on any of these hooks is SELinux, which is only on the
kernel_module_request hook.

After converting the SELinux kernel_module_request hook to use the new
kernel_read_file(),  do I then remove the three hooks?   Are we
concerned about "minor" LSMs that have not been upstreamed that might be
using these hooks?

Mimi




More information about the kexec mailing list