Re: [RFC PATCH v9 05/16] ipe: add userspace interface
On Wed, Apr 12, 2023 at 7:36 PM Fan Wu <wufan(a)linux.microsoft.com> wrote:
On Tue, Apr 11, 2023 at 05:45:41PM -0400, Paul Moore wrote:
> On Mon, Apr 10, 2023 at 3:10???PM Fan Wu <wufan(a)linux.microsoft.com> wrote:
> > On Thu, Mar 02, 2023 at 02:04:42PM -0500, Paul Moore wrote:
> > > On Mon, Jan 30, 2023 at 5:58???PM Fan Wu <wufan(a)linux.microsoft.com>
wrote:
...
> I guess this does make me wonder about keeping a non-active
policy
> loaded in the kernel, what purpose does that serve?
>
The non-active policy doesn't serve anything unless it is activated. User can
even delete a policy if that is no longer needed. Non-active is just the default
state when a new policy is loaded.
If IPE supports namespace, there is another use case where different containers
can select different policies as the active policy from among multiple loaded
policies. Deven has presented a demo of this during LSS 2021. But this goes
beyond the scope of this version.
Do you plan to add namespace support at some point in the
not-too-distant future? If so, I'm okay with keeping support for
multiple policies, but if you think you're only going to support one
active policy at a time, it might be better to remove support for
multiple (inactive) policies.
--
paul-moore.com