[PATCH v12 3/5] security: Replace indirect LSM hook calls with static calls

Jonathan Corbet corbet at lwn.net
Thu Jun 27 20:28:03 UTC 2024


KP Singh <kpsingh at kernel.org> writes:

> LSM hooks are currently invoked from a linked list as indirect calls
> which are invoked using retpolines as a mitigation for speculative
> attacks (Branch History / Target injection) and add extra overhead which
> is especially bad in kernel hot paths:

I hate to bug you with a changelog nit, but this is the sort of thing
that might save others some work..

[...]

> A static key guards whether an LSM static call is enabled or not,
> without this static key, for LSM hooks that return an int, the presence
> of the hook that returns a default value can create side-effects which
> has resulted in bugs [1].

I looked in vain for [1] to see what these bugs were.  After sufficient
digging, I found that the relevant URL:

  https://lore.kernel.org/linux-security-module/20220609234601.2026362-1-kpsingh@kernel.org/

was evidently dropped in v4 of the patch set last September, and nobody
evidently noticed.  If there's a v13, I might humbly suggest putting it
back :)

Thanks,

jon



More information about the Linux-security-module-archive mailing list