On Fri, Feb 10, 2023 at 6:21 PM Fan Wu [off-list ref] wrote:

On Tue, Jan 31, 2023 at 04:49:44PM +0100, Roberto Sassu wrote:

quoted

On Mon, 2023-01-30 at 14:57 -0800, Fan Wu wrote:

quoted

From: Deven Bowers <redacted>

IPE must have a centralized function to evaluate incoming callers
against IPE's policy. This iteration of the policy against the rules
for that specific caller is known as the evaluation loop.

Not sure if you check the properties at every access.

quoted

From my previous comments (also for previous versions of the patches)

you could evaluate the property once, by calling the respective
functions in the other subsystems.

Then, you reserve space in the security blob for inodes and superblocks
to cache the decision. The format could be a policy sequence number, to
ensure that the cache is valid only for the current policy, and a bit
for every hook you enforce.

Thanks for raising this idea. I agree that if the property evaluation
leads to a performance issue, it will be better to cache the evaluation
result. But for this version, all the property evaluations are simple,
so it is just as fast as accessing a cache. Also, for the initial
version we prefer to keep the patch as minimal as possible.

FWIW, I think that is the right decision.  Keeping the initial
submission relatively small and focused has a lot of advantages when
it comes both to review and prematurely optimizing things that might
not need optimization.

-- 
paul-moore.com