[RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version

Paul Moore pmoore at redhat.com
Thu Jan 21 13:26:56 PST 2016


On Thursday, January 21, 2016 04:15:02 PM Mimi Zohar wrote:
> On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote:
> > On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote:
> > > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the
> > > module, firmware, and kexec pre and post security hooks and have just
> > > one set of pre and post security kernel_read_file hook instead?   Does
> > > it make sense for this patch set to define the new hooks to allow the
> > > LSMs to migrate to it independently of each other?
> > 
> > Well, as usual, the easiest way to both get solid feedback and actually
> > get a change accepted is to post patches to the affected LSMs.  Probably
> > not what you wanted to hear, but at least I'm honest :)
> 
> Unless I'm misreading the code, it might be a lot simpler than I
> thought.  Of the three LSM hooks kernel_module_request,
> kernel_module_from_file, and kernel_fw_from_file, the only upstreamed
> LSM on any of these hooks is SELinux, which is only on the
> kernel_module_request hook.
> 
> After converting the SELinux kernel_module_request hook to use the new
> kernel_read_file(),  do I then remove the three hooks?   Are we
> concerned about "minor" LSMs that have not been upstreamed that might be
> using these hooks?

You can't worry about code that isn't upstream; if this change breaks 
something that hasn't been merged, then the burden lies on the out-of-tree 
developers to change their code.

-- 
paul moore
security @ redhat




More information about the kexec mailing list