Quoting Chris Wright ([EMAIL PROTECTED]): > * Serge E. Hallyn ([EMAIL PROTECTED]) wrote: > > Are you objecting only to the duplication at the callsites, so that an > > fsnotify-type of consolidation of security and integrity hooks would be > > ok? Or are you complaining that the security_inode_setxattr and > > integrity_inode_setxattr hooks are too similar anyway, and integrity > > modules should just use some lsm hooks for anything which will be > > authoritative? > > It's duplication of callsites with many identical implementations > that's the problem.
Yes it's ugly... But I guess it gets a point across :) > > (I could see an argument that integirty subsystem should be purely for > > measuring and hence its hooks should never return a value. Only hitch > > there is that if integrity subsystem hits ENOMEM it should be able to > > refuse the action...) > > Right, that's what I was expecting to see, just the measurement > infrastructure. So what you are saying is EVM would stay an LSM, with a cooperating integrity subsystem *just* doing measurements? That's kind of what i was expecting too, however that doesn't fit as well with the idea that an integrity subsystem prevents the need for lsm stacking. I think the idea was that evm would still be able to enforce integrity of selinux xattrs without it stack with selinux. So I can see where this approach came from. -serge - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/