Re: [PATCH 3/5] Call security hooks conditionally if the security_op is filled out.
From: Kurt Garloff (garloff_at_suse.de)
Date: 08/25/05
- Previous message: Denis Vlasenko: "Re: question on memory barrier"
- In reply to: Chris Wright: "[PATCH 3/5] Call security hooks conditionally if the security_op is filled out."
- Next in thread: Chris Wright: "Re: [PATCH 3/5] Call security hooks conditionally if the security_op is filled out."
- Reply: Chris Wright: "Re: [PATCH 3/5] Call security hooks conditionally if the security_op is filled out."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 25 Aug 2005 10:50:39 +0200 To: Chris Wright <chrisw@osdl.org>
On Wed, Aug 24, 2005 at 06:20:31PM -0700, Chris Wright wrote:
> Call security hooks conditionally if the security_op is filled out.
> Branches can be more efficient than the unconditional indirect function
> call. Inspired by patch from Kurt Garloff <garloff@suse.de>.
>
> Signed-off-by: Chris Wright <chrisw@osdl.org>
> ---
> include/linux/security.h | 825 +++++++++++++++++++++++------------------------
> 1 files changed, 411 insertions(+), 414 deletions(-)
>
> Index: linus-2.6/include/linux/security.h
> ===================================================================
> --- linus-2.6.orig/include/linux/security.h
> +++ linus-2.6/include/linux/security.h
> @@ -1264,10 +1264,10 @@ static inline int security_init(void)
> static inline int security_ptrace (struct task_struct * parent, struct task_struct * child)
> {
> #ifdef CONFIG_SECURITY
> - return security_ops->ptrace (parent, child);
> -#else
> - return cap_ptrace (parent, child);
> + if (security_ops->ptrace)
> + return security_ops->ptrace(parent, child);
You did not like my macro abuse, apparently.
That's too bad, as it allowed you to do changes without changing
hundreds of lines of code.
Just one remark:
Make sure you don't set security_ops->XXX ever back to NULL or you
might take an oops.
Security module unloading is racy and always has been. It's not well
defined at what point in time the new functions become effective.
And we certainly don't want to use locking for performance reasons.
One could think of using RCU, though, thus the security_ops pointer
would only be changed after all CPUs schedule()d ...
In my version of the patches, I maintained the capability_security_ops
structure fully filled-in and pointed security_ops to it, so you'll
always have a valid function pointer. If you wanted to avoid a pointer
compare, I had an integer to look at ...
Thanks for your patches!
-- Kurt Garloff <kurt@garloff.de> [Koeln, DE] Physics:Plasma modeling <garloff@plasimo.phys.tue.nl> [TU Eindhoven, NL] Linux: SUSE Labs (Director) <garloff@suse.de> [Novell Inc]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- application/pgp-signature attachment: stored
- Previous message: Denis Vlasenko: "Re: question on memory barrier"
- In reply to: Chris Wright: "[PATCH 3/5] Call security hooks conditionally if the security_op is filled out."
- Next in thread: Chris Wright: "Re: [PATCH 3/5] Call security hooks conditionally if the security_op is filled out."
- Reply: Chris Wright: "Re: [PATCH 3/5] Call security hooks conditionally if the security_op is filled out."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
