[PATCH v3 3/5] security: Replace indirect LSM hook calls with static calls

Song Liu song at kernel.org
Thu Sep 21 21:02:55 UTC 2023


On Mon, Sep 18, 2023 at 2:25 PM KP Singh <kpsingh at kernel.org> wrote:
>
[...]
>
> While this patch uses static_branch_unlikely indicating that an LSM hook
> is likely to be not present, a subsequent makes it configurable. In most
> cases this is still a better choice as even when an LSM with one hook is
> added, empty slots are created for all LSM hooks (especially when many
> LSMs that do not initialize most hooks are present on the system).
>
> There are some hooks that don't use the call_int_hook and
> call_void_hook. These hooks are updated to use a new macro called
> security_for_each_hook where the lsm_callback is directly invoked as an
> indirect call. Currently, there are no performance sensitive hooks that
> use the security_for_each_hook macro. However, if, some performance
> sensitive hooks are discovered, these can be updated to use static calls
> with loop unrolling as well using a custom macro.
>
> [1] https://lore.kernel.org/linux-security-module/20220609234601.2026362-1-kpsingh@kernel.org/
>
> Signed-off-by: KP Singh <kpsingh at kernel.org>

Acked-by: Song Liu <song at kernel.org>

> ---
[...]



More information about the Linux-security-module-archive mailing list