[PATCH v12 3/5] security: Replace indirect LSM hook calls with static calls

KP Singh kpsingh at kernel.org
Sat Jun 29 08:28:18 UTC 2024


On Fri, Jun 28, 2024 at 1:58 AM Jonathan Corbet <corbet at lwn.net> wrote:
>
> KP Singh <kpsingh at kernel.org> writes:
>
> > LSM hooks are currently invoked from a linked list as indirect calls
> > which are invoked using retpolines as a mitigation for speculative
> > attacks (Branch History / Target injection) and add extra overhead which
> > is especially bad in kernel hot paths:
>
> I hate to bug you with a changelog nit, but this is the sort of thing
> that might save others some work..
>
> [...]
>
> > A static key guards whether an LSM static call is enabled or not,
> > without this static key, for LSM hooks that return an int, the presence
> > of the hook that returns a default value can create side-effects which
> > has resulted in bugs [1].
>
> I looked in vain for [1] to see what these bugs were.  After sufficient
> digging, I found that the relevant URL:
>
>   https://lore.kernel.org/linux-security-module/20220609234601.2026362-1-kpsingh@kernel.org/
>

Thank you so much Jon, appreciate the attention to detail, I have
fixed it in v13.

- KP

> was evidently dropped in v4 of the patch set last September, and nobody
> evidently noticed.  If there's a v13, I might humbly suggest putting it
> back :)
>
> Thanks,
>
> jon



More information about the Linux-security-module-archive mailing list