Re: LSM root_plug module questions

[Crispin Cowan <crispin@novell.com>]

Chris Wright wrote:
> * David Härdeman (david@2gen.com) wrote:
>   
>> 2) root_plug currently scans the usb device tree looking for the 
>> appropriate device each time it's needed. In the interest of making the 
>> result of the lookup cached, it is possible for a module to register so 
>> that it is notified when a usb device is added/removed?
>>     
> I don't think that can be done in a race free manner.  Perhaps get the
> device and check its state, but you'd have to ask usb folks.  ATM, it's
> only checked during exec of root process.
>   
Why do you want to optimize root_plug's scan for the device? Are you
planning on logging in thousands of times per second? If it was a big
RADIUS or SSO server, that would make sense, but this is the "are you
physically present at the console?" login security, so I submit that it
happens at most a couple of times per minute, and from there it does not
matter if it takes a second or two to scan the USB devices.

OTOH, it looks from the above comments that the root_plug may be checked
on *all* exec's of root processes. If that is the case, then you do have
more of an optimization issue. However, I then submit that the correct
optimization is to choke down the check so that it is only performed on
root exec's that represent logins rather than all execs, instead of
trying to make the check go faster.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com