[apparmor] [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook
Eddie Bulgara
bulgarabulgara769 at gmail.com
Thu May 8 15:27:49 UTC 2025
On Thu, May 8, 2025, 8:20 AM Tetsuo Handa <
penguin-kernel at i-love.sakura.ne.jp> wrote:
> On 2025/05/08 23:44, John Johansen wrote:
> > On 5/8/25 05:55, Tetsuo Handa wrote:
> >> On 2025/05/08 17:25, John Johansen wrote:
> >>> That is fine. But curious I am curious what the interface would look
> like to fit TOMOYO's
> >>> needs.
> >>
> >> Stream (like "FILE *") with restart from the beginning (like
> rewind(fp)) support.
> >> That is, the caller can read/write at least one byte at a time, and
> written data
> >> is processed upon encountering '\n'.
> >>
> >
> > that can be emulated within the current sycall, where the lsm maintains
> a buffer.
>
> That cannot be emulated, for there is no event that is automatically
> triggered when
> the process terminates (i.e. implicit close() upon exit()) in order to
> release the
> buffer the LSM maintains.
>
> > Are you asking to also read data back out as well, that could be added,
> but doing
> > a syscall per byte here or through the fs is going to have fairly high
> overhead.
>
> At least one byte means arbitrary bytes; that is, the caller does not need
> to read
> or write the whole policy at one syscall.
>
> >
> > Without understanding the requirement it would seem to me, that it would
> be
> > better to emulate that file buffer manipulation in userspace similar say
> C++
> > stringstreams, and then write the syscall when done.
>
> The size of the whole policy in byte varies a lot.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20250508/f0ab145d/attachment-0001.html>
More information about the AppArmor
mailing list