[PATCH v6 5/5] kernfs: initialize security of newly created nodes

Tejun Heo tj at kernel.org
Fri Feb 15 15:50:14 UTC 2019


On Fri, Feb 15, 2019 at 04:45:44PM +0100, Ondrej Mosnacek wrote:
> On Thu, Feb 14, 2019 at 4:49 PM Tejun Heo <tj at kernel.org> wrote:
> > On Thu, Feb 14, 2019 at 10:50:15AM +0100, Ondrej Mosnacek wrote:
> > > +static int kernfs_node_init_security(struct kernfs_node *parent,
> > > +                                  struct kernfs_node *kn)
> >
> > Can we skip the whole thing if security is not enabled?
> 
> Do you mean just skipping the whole part when CONFIG_SECURITY=n? That
> is easy to do and I can add it in the next respin (although the
> compiler should be able to optimize most of it out in that case).

So the goal is allowing folks who don't use this to not pay.  It'd be
better the evaulation can be as late as possible but obviously there's
a point where that'd be too complicated.  Maybe "ever enabled in this
boot" is a good and simple enough at the same time?

Thanks.

-- 
tejun



More information about the Linux-security-module-archive mailing list