From: Al Viro <viro@ZenIV.linux.org.uk>
To: James Morris <jmorris@namei.org>
Cc: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel@vger.kernel.org,
linux-security-module <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: Re: IMA policy search speedup
Date: Wed, 19 Sep 2012 05:46:51 +0100 [thread overview]
Message-ID: <20120919044651.GY13973@ZenIV.linux.org.uk> (raw)
In-Reply-To: <alpine.LRH.2.02.1209191419410.29525@tundra.namei.org>
On Wed, Sep 19, 2012 at 02:21:56PM +1000, James Morris wrote:
> On Tue, 18 Sep 2012, Kasatkin, Dmitry wrote:
>
> > I looked to <linux/fs.h> and found that there is a possibility to to
> > add additional flag for sb->s_flags.
> > For example
> >
> > #define MS_NOT_IMA (1<<25) /* NOT_IMA */
> > #define IS_I_NOT_IMA(inode) __IS_FLG(inode, MS_NOT_IMA)
> >
> >
> > Another way is to add additional dedicated integrity related member to
> > the sb structure.
> > struct super_block {
> > ...
> > #ifdef CONFIG_INTEGRITY
> > int s_integrity;
> > #endif
> > };
> >
> > Obviously there are only few super blocks in the system and few bytes
> > will not harm.
>
> The flag seems better than adding a new struct member. Why would you need
> an int for this?
Per-superblock bit would be a bit better, but I really hate the way we have
them mixed up between superblock ->s_flags bits and mount(2) action weirdly
encoded into flags thing. If we are going to touch that thing, how about
separate S_... bits, with MS_... crap left only for mount(2) decoding? Mapped
to S_... when needed.
The really messy part is that right now we silently ignore all the unknown
bits in mount(2) flags argument ;-/ It's *not* a widely used syscall, but
still - changing that in a non-trivial way is potential userland breakage.
next prev parent reply other threads:[~2012-09-19 4:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-18 9:44 IMA policy search speedup Kasatkin, Dmitry
2012-09-19 4:21 ` James Morris
2012-09-19 4:46 ` Al Viro [this message]
2012-09-19 10:50 ` Kasatkin, Dmitry
2012-09-19 10:25 ` Kasatkin, Dmitry
2012-09-19 20:07 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120919044651.GY13973@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=dmitry.kasatkin@intel.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.