[PATCH bpf-next 0/4] Reduce overhead of LSMs with static calls
Paolo Abeni
pabeni at redhat.com
Wed Jul 26 11:07:05 UTC 2023
Hi all,
On Tue, 2023-06-20 at 19:40 -0400, Paul Moore wrote:
> On Tue, Jun 13, 2023 at 6:03 PM KP Singh <kpsingh at kernel.org> wrote:
> > I tried proposing an idea in
> > https://patchwork.kernel.org/project/netdevbpf/patch/20220609234601.2026362-1-kpsingh@kernel.org/
> > as an LSM_HOOK_NO_EFFECT but that did not seemed to have stuck.
>
> It looks like this was posted about a month before I became
> responsible for the LSM layer as a whole, and likely was lost (at
> least on the LSM side of things) as a result.
>
> I would much rather see a standalone fix to address the unintended LSM
> interactions, then the static call performance improvements in a
> separate patchset.
Please allow me to revive this old thread. I learned about this effort
only recently and I'm interested into it.
Looking at patch 4/4 from this series, it *think* it's doable to
extract it from the series and make it work standalone. If so, would
that approach be ok from a LSM point of view?
One thing that I personally don't understand in said patch is how the
'__ro_after_init' annotation for the bpf_lsm_hooks fits the run-time
'default_state' changes?!?
Cheers,
Paolo
More information about the Linux-security-module-archive
mailing list