[PATCH v8 5/5] security: Add CONFIG_SECURITY_HOOK_LIKELY

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Fri Dec 8 22:56:33 UTC 2023


On 2023/12/09 7:05, Kees Cook wrote:
> Okay, I understand now. Sorry for frustrating you! By "way forward",
> I meant I didn't understand how to address what looked like conflicting
> feedback. I think my confusion was over separating the goal ("this
> feature should be automatically enabled when it is known to be useful")
> from an interpretation of earlier feedback as "I don't want a CONFIG [that
> leaves this up to the user]", when what you really wanted understood was
> "I don't want a CONFIG *ever*, regardless of whether it picks the correct
> setting automatically".

Is it possible to change the direction from "call all individual callbacks from security/security.c"
to "call next callback at end of current callback if current callback succeeded and next callback is
defined, and security/security.c calls only the first callback"
( https://lkml.kernel.org/r/38b318a5-0a16-4cc2-878e-4efa632236f3@I-love.SAKURA.ne.jp ),
something like

static int module_specific_some_ops(args) {
	if (logic_for_this_module(arg)) {
		return -EPERM;
	}
	return 0;
}

static int autogenerated_some_ops(args) {
	int ret = module_specific_some_ops(args);
	if (ret == 0) {
		ret = static_call(next_registered_hook)(args);
	}
	return ret;
}

and let LSM_HOOK_INIT() macro generate autogenerated_some_ops() part ?




More information about the Linux-security-module-archive mailing list