Date: Thu, 9 Aug 2007 11:43:53 -0700 (PDT) From: Casey Schaufler <casey(a)schaufler-ca.com&gt; Subject: Re: Upstreaming shared LSM interfaces To: "David P. Quigley" <dpquigl(a)tycho.nsa.gov&gt;, Stephen Smalley <sds(a)tycho.nsa.gov&gt;, James Morris <jmorris(a)namei.org&gt;, David Howells <dhowells(a)redhat.com&gt;, Casey Schaufler <casey(a)schaufler-ca.com&gt; --- "David P. Quigley" <dpquigl(a)tycho.nsa.gov&gt; wrote: > Hello Everyone, > Between Casey's Audit patches, the FS-Cache patches and the Labeled NFS > patches there are a bunch of new LSM interfaces being proposed that some > combination of us seem to need. I would like to propose that we agree on > the interfaces and send them to James to be upstreamed. The interfaces > and the proposed prototypes are listed below I was wrong to propose the hooks that get the secids to feed to the audit system. I had hoped that I could contain the scope of the changes required to the audit system to pull SELinux dependencies out by allowing the continued use of secids in that case. I see now the error in my ways and will shortly proposed an alternative patch set for the deselinixifation of audit. The secid is an internal SELinux data structure (albeit one with many favorable characteristics) and the LSM interface ought not be exposing it. > Interfaces: > > inode_{get,set}secid: From Labeled NFS patches > void (*inode_getsecid)(struct inode *inode, u32 *secid); > void (*inode_setsecid)(struct inode *inode, u32 secid); > > > ipc_getsecid: From Audit patches > void (*ipc_getsecid) (struct kern_ipc_perm *p, u32 *secid); > > {get,set}_fscreate_secid: From FS-Cache patches > u32 (*get_fscreate_secid)(void); > u32 (*set_fscreate_secid)(u32 secid); > > > secctx_to_secid: From Labeled NFS patches > int (*secctx_to_secid)(u32 *secid, char *secdata, u32 seclen); > > act_as_{secid,self}: From FS-Cache patches > u32 (*act_as_secid)(u32 secid); > u32 (*act_as_self)(void); > > > Dave Quigley > > > Casey Schaufler casey(a)schaufler-ca.com