On 2/5/2021 6:17 AM, Serge E. Hallyn wrote:
On Tue, Feb 02, 2021 at 05:27:03PM +0100, Mickaël Salaün wrote:
From: Casey Schaufler casey@schaufler-ca.com
Move management of the superblock->sb_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules, the modules tell the infrastructure how much space is required, and the space is allocated there.
Cc: Kees Cook keescook@chromium.org Cc: John Johansen john.johansen@canonical.com Signed-off-by: Casey Schaufler casey@schaufler-ca.com Signed-off-by: Mickaël Salaün mic@linux.microsoft.com Reviewed-by: Stephen Smalley stephen.smalley.work@gmail.com
Acked-by: Serge Hallyn serge@hallyn.com
I wonder how many out of tree modules this will impact :)
There are several blobs that have already been converted to infrastructure management. Not a peep from out-of-tree module developers/maintainers. I can only speculate that OOT modules are either less common than we may think, using alternative data management models (as does eBPF) or sticking with very old kernels. It's also possible that they're suffering in silence, which would be sad because every module that's worth having should be in the tree.
Actually if some new incoming module does an rcu callback to free the sb_security, then the security_sb_free will need an update, but that seems unlikely.
We're already doing that for the inode blob, so it's really just a small matter of cut-n-paste and s/inode/sb/ to make that happen.