From mboxrd@z Thu Jan 1 00:00:00 1970 From: Linus Torvalds Subject: Re: [PATCH 0/2] ima: policy search speedup Date: Tue, 11 Dec 2012 12:05:08 -0800 Message-ID: References: <1355234914.2356.85.camel@falcor> <1355249884.2356.108.camel@falcor> <1355252392.2356.131.camel@falcor> <1355255320.2356.148.camel@falcor> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: Eric Paris , "Kasatkin, Dmitry" , Al Viro , linux-fsdevel , LSM List , Linux Kernel Mailing List , James Morris To: Mimi Zohar Return-path: In-Reply-To: <1355255320.2356.148.camel@falcor> Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Tue, Dec 11, 2012 at 11:48 AM, Mimi Zohar wrote: > > Ok. To summarize, S_IMA indicates that there is a rule and that the iint > was allocated. To differentiate between 'haven't looked/don't know' and > 'definitely not', we need another bit. For this, you're suggesting > using IS_PRIVATE()? Hopefully, I misunderstood. No, for that, I'm suggesting using a new bit in i_flags. The "IS_PRIVATE()" thing is more a "if you know a-priori that you aren't interested in pseudo-filesystems, you can already check that bit, because it will be set for things like /proc and shmem mappings and pipes etc". Dmitry seemed to imply that the biggest use for the new bit was for taking out whole pseudo-filesystems in one go. That would pretty much be what S_PRIVATE is. Linus