On 1/8/20 12:31 AM, Paul Moore wrote:

On Tue, Jan 7, 2020 at 9:46 AM Stephen Smalley [off-list ref] wrote:

quoted

On 1/7/20 8:31 AM, Ondrej Mosnacek wrote:

quoted

The only user is SELinux, which is hereby converted to check the
disabled flag in each hook instead of removing the hooks from the list.

The __lsm_ro_after_init macro is now removed and replaced with
__ro_after_init directly.

This fixes a race condition in SELinux runtime disable, which was
introduced with the switch to hook lists in b1d9e6b0646d ("LSM: Switch
to lists of hooks").

Not opposed (naturally, since I suggested it) but my impression from the
earlier thread was that Paul preferred the less invasive approach of
your original patch (just reordering the hooks) as a short term fix with
an eye toward full removal of disable support in the not-too-distant future.

Unless we are seeing wide spread breakages (I don't think we are), or
we decide we can never remove the runtime disable, I still prefer the
hook-shuffle over the changes proposed in this patchset.

Note that the first patch is a necessary and correct cleanup regardless 
of this one.