On Sunday 11 November 2007 5:34:27 pm James Morris wrote:
On Fri, 9 Nov 2007, Paul Moore wrote:
+ /* Between selinux_compat_net and selinux_policycap_netpeer this is
+* starting to get a bit messy - we need to setup a timetable for
+* deprecating some of this old/obsolete functionality so we can
+* reclaim some level of sanity in this function. */
I don't think we can do anything which could potentially break userspace
now.
Yeah, I've already had one very long day as a result of that, I'm not in any
hurry to do that again :)
On a serious note, I thought we could remove specific features after a certain
period of time, i.e. Documentation/feature-removal-schedule.txt? My thought
is that eventually we can at least remove compat_net, or is that too drastic?
So, this one really needs to be right :-)
Yeah, this is the one thing that still worries me and one of the main reasons
I keep pushing RFC patches so often.
Personally, I'm still a little frustrated at how ugly that function looks.
I'm debating putting a check near the top to see if any of
the compatibility flags are set, meaning an older policy, and if it is just
handing off control to a compat function which handles all the ugliness.
There might be some duplication of code but the sock_rcv_skb() function would
be _much_ cleaner and faster in the current policy case.
Actually, I think I just talked myself into it ...
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html