[PATCH v3 5/5] security: Add CONFIG_SECURITY_HOOK_LIKELY
KP Singh
kpsingh at kernel.org
Thu Sep 21 08:53:16 UTC 2023
[...]
> > +config SECURITY_HOOK_LIKELY
> > + bool "LSM hooks are likely to be initialized"
> > + depends on SECURITY
> > + default y
> > + help
> > + This controls the behaviour of the static keys that guard LSM hooks.
> > + If LSM hooks are likely to be initialized by LSMs, then one gets
> > + better performance by enabling this option. However, if the system is
> > + using an LSM where hooks are much likely to be disabled, one gets
> > + better performance by disabling this config.
>
> Since you described the situations where it's a net benefit, this could
> be captured in the Kconfig too. How about this, which tracks the "major"
> LSMs as in the DEFAULT_SECURITY choice:
>
> depends on SECURITY && EXPERT
> default BPF_LSM || SECURITY_SELINUX || SECURITY_SMACK || SECURITY_TOMOYO || SECURITY_APPARMOR\
I think for BPF_LSM the option would not be y. But yeah I like this suggestion.
>
>
> --
> Kees Cook
More information about the Linux-security-module-archive
mailing list