[PATCH v2 3/9] security: define security_kernel_read_blob() wrapper
Mimi Zohar
zohar at linux.vnet.ibm.com
Fri May 18 17:55:33 UTC 2018
On Sat, 2018-05-19 at 03:13 +1000, James Morris wrote:
> On Thu, 17 May 2018, Eric W. Biederman wrote:
>
> > Nacked-by: "Eric W. Biederman" <ebiederm at xmission.com>
> >
> > Nack on this sharing nonsense. These two interfaces do not share any
> > code in their implementations other than the if statement to distinguish
> > between the two cases.
>
> Hmm, it's not even doing that.
>
> There's already an if(!file && read_id == X) { } check and this is another
> one being added.
>
> > If we want comprehensible and maintainable code in the security modules
> > we need to split these two pieces of functionality apart.
>
> All ima_read is doing in both the old and new case is checking if there's
> no file then if it's a certain operation, returning an error.
>
> To echo Eric and Casey's suggestions, how about changing the name of the
> hook to security_kernel_read_data() ?
Thanks, James. Somehow I missed this option. Renaming the existing
hook, would be the easiest solution. Eric, are you in agreement with
James' naming suggestion/solution?
> Then ima_read_file() can be changed to ima_read_data(), and then instead
> of two if (!file && read_id == X) checks, have:
>
> if (!file) {
> switch (read_id) {
> }
> }
>
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list