[PATCH v2 00/25] LSM: Module stacking for AppArmor

Casey Schaufler casey at schaufler-ca.com
Wed Jun 19 16:48:35 UTC 2019


On 6/18/2019 10:21 PM, Kees Cook wrote:
> On Tue, Jun 18, 2019 at 04:05:26PM -0700, Casey Schaufler wrote:
>> Patches 0004-0014 replace system use of a "secid" with
>> a structure "lsmblob" containing information from the
>> security modules to be held and reused later. At this
>> point lsmblob contains an array of u32 secids, one "slot"
>> for each of the security modules compiled into the
>> kernel that used secids. A "slot" is allocated when
>> a security module registers a hook for one of the interfaces
>> that uses a secid or a security context. The infrastructure
>> is changed to use the slot number to pass the correct
>> secid to or from the security module hooks.
> I found 14/25 in your git tree. Very satisfying to see all the
> scaffolding vanish for process_measurement() :)
>
> I like this progression in 4-14; I find it much much easier to review.
> My only complaint is the variable names. I think I'd prefer "blob" over
> "le" or "l", which are both contain very little information about what
> they are.

I know what they are! OK, I get it. Using "blob" would make it
more obvious. It's an relatively easy change, so I'll incorporate
it going forward.



More information about the Linux-security-module-archive mailing list