On Thu, Apr 20, 2006 at 09:15:52AM -0700, Greg KH wrote:
> On Thu, Apr 20, 2006 at 10:20:11AM -0400, Stephen Smalley wrote:
> > On Thu, 2006-04-20 at 08:00 -0700, Greg KH wrote:
> > > I agree.  In looking over the code some more, I'm trying to figure out
> > > why we are exporting that variable at all.  Is it because of people
> > > wanting to stack security modules?
> > > 
> > > I see selinux code using it, but you are always built into the kernel,
> > > right?  So unexporting it would not be an issue to you.
> > 
> > Various in-tree modules (e.g. ext3) call security hooks via the static
> > inlines and end up referencing security_ops directly.  We'd have to wrap
> > all such hooks in the same manner as capable and permission.
> 
> Ah, and people like making their file systems as modules :(

But actually yes, calling into rændom lsm hooks in modules is not a good
thing.a  The only think filesystems calls is security_inode_init_security
and it would make a lot of sense to make that an out of line wrapper
instead of exporting security_ops.