[PATCH v12 0/5] Reduce overhead of LSMs with static calls

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Sat May 18 06:01:03 UTC 2024


On 2024/05/16 9:35, KP Singh wrote:
> Since we know the address of the enabled LSM callbacks at compile time and only
> the order is determined at boot time, the LSM framework can allocate static
> calls for each of the possible LSM callbacks and these calls can be updated once
> the order is determined at boot.

I don't like this assumption. None of built-in LSMs is used by (or affordable for)
my customers. There is a reality that only out-of-tree security modules which the
distributor (namely, Red Hat) cannot support (and therefore cannot be built into
RHEL kernels) are used by (or affordable for) such customers.

Therefore, without giving room for allowing such security modules to load after
boot, I consider this change a regression.




More information about the Linux-security-module-archive mailing list