[RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
Paul Moore
pmoore at redhat.com
Thu Jan 21 13:26:56 PST 2016
On Thursday, January 21, 2016 04:15:02 PM Mimi Zohar wrote:
> On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote:
> > On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote:
> > > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the
> > > module, firmware, and kexec pre and post security hooks and have just
> > > one set of pre and post security kernel_read_file hook instead? Does
> > > it make sense for this patch set to define the new hooks to allow the
> > > LSMs to migrate to it independently of each other?
> >
> > Well, as usual, the easiest way to both get solid feedback and actually
> > get a change accepted is to post patches to the affected LSMs. Probably
> > not what you wanted to hear, but at least I'm honest :)
>
> Unless I'm misreading the code, it might be a lot simpler than I
> thought. Of the three LSM hooks kernel_module_request,
> kernel_module_from_file, and kernel_fw_from_file, the only upstreamed
> LSM on any of these hooks is SELinux, which is only on the
> kernel_module_request hook.
>
> After converting the SELinux kernel_module_request hook to use the new
> kernel_read_file(), do I then remove the three hooks? Are we
> concerned about "minor" LSMs that have not been upstreamed that might be
> using these hooks?
You can't worry about code that isn't upstream; if this change breaks
something that hasn't been merged, then the burden lies on the out-of-tree
developers to change their code.
--
paul moore
security @ redhat
More information about the kexec
mailing list