[PATCH v7 0/5] Reduce overhead of LSMs with static calls
KP Singh
kpsingh at kernel.org
Thu Nov 2 10:01:03 UTC 2023
On Thu, Nov 2, 2023 at 10:42 AM Tetsuo Handa
<penguin-kernel at i-love.sakura.ne.jp> wrote:
>
> I didn't get your response on https://lkml.kernel.org/r/c588ca5d-c343-4ea2-a1f1-4efe67ebb8e3@I-love.SAKURA.ne.jp .
>
> Do you agree that we cannot replace LKM-based LSMs with eBPF-based access control mechanisms,
> and do you admit that this series makes LKM-based LSMs more difficult to use?
If you want to do a proper in-tree version of dynamic LSMs. There can
be an exported symbol that allocates a dynamic slot and registers LSM
hooks to it. This is very doable, but it's not my use case so, I am
not going to do it.
No it does not make LKM based LSMs difficult to use. I am not ready to
have that debate again. I suggested multiple extensions in my replies
which you chose to ignore.
Regarding BPF it's very much possible, as I suggested many times, you
need to rethink about it in terms of implementing policy and not try
to dump the whole code and interface into BPF and expect it to work.
It will need some design work and that's on you. We can help you, we
can also take patches for anything BPF would need to make stuff work
(I don't see anything obvious needed yet). But we surely won't write
the code for you.
>
More information about the Linux-security-module-archive
mailing list