From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754256AbdDLNau (ORCPT ); Wed, 12 Apr 2017 09:30:50 -0400 Received: from mail-qt0-f194.google.com ([209.85.216.194]:34619 "EHLO mail-qt0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754205AbdDLNao (ORCPT ); Wed, 12 Apr 2017 09:30:44 -0400 MIME-Version: 1.0 In-Reply-To: References: <1491988018-4120-1-git-send-email-sbuisson@ddn.com> From: Sebastien Buisson Date: Wed, 12 Apr 2017 15:30:02 +0200 Message-ID: Subject: Re: [PATCH] selinux: add selinux_is_enforced() function To: Paul Moore , sds@tycho.nsa.gov Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, william.c.roberts@intel.com, serge@hallyn.com, james.l.morris@oracle.com, Eric Paris , Paul Moore , Sebastien Buisson Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2017-04-12 13:55 GMT+02:00 Paul Moore : > As currently written this code isn't something we would want to merge > upstream for two important reasons: > > * No abstraction layer at the LSM interface. The core kernel code > should not call directly into any specific LSM, all interaction should > go through the LSM hooks. The idea behind this patch and the other one was to replicate what is done with selinux_is_enabled(). As I understand it now, selinux_is_enabled() should remain the only exception to the LSM hooks. So do you agree if I propose a new security_is_enforced() function at the LSM abstraction layer, which will be hooked to a selinux_is_enforced() function defined inside the SELinux LSM?