On Tue, 20 Jun 2017, Casey Schaufler wrote:

I'm looking at the secmark code and am looking in
particular at the places where it explicitly says
that it is intended for one security module at a
time. For extreme stacking I can either enforce this
restriction by configuration or remove it by clever
uses of secid mappings. Either can be made "transparent"
to existing user-space. Paul has expressed distaste for
using configuration as a shortcut for dealing with this
kind of problem, and I generally agree with him. On the
other hand, the code is quite clear that it is designed
for one and only one kind of secid at a time. I don't
want to put a lot of effort into patches that are
unacceptable to the author.

How would you see this working, ideally?


-- 
James Morris
[off-list ref]

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html