On Thu, Feb 20, 2020 at 06:52:47PM +0100, KP Singh wrote: > + > + /* This is the first program to be attached to the LSM hook, the hook > + * needs to be enabled. > + */ > + if (prog->type == BPF_PROG_TYPE_LSM && tr->progs_cnt[kind] == 1) > + err = bpf_lsm_set_enabled(prog->aux->attach_func_name, true); > out: > mutex_unlock(&tr->mutex); > return err; > @@ -336,7 +348,11 @@ int bpf_trampoline_unlink_prog(struct bpf_prog *prog) > } > hlist_del(&prog->aux->tramp_hlist); > tr->progs_cnt[kind]--; > - err = bpf_trampoline_update(prog->aux->trampoline); > + err = bpf_trampoline_update(prog); > + > + /* There are no more LSM programs, the hook should be disabled */ > + if (prog->type == BPF_PROG_TYPE_LSM && tr->progs_cnt[kind] == 0) > + err = bpf_lsm_set_enabled(prog->aux->attach_func_name, false); Overall looks good, but I don't think above logic works. Consider lsm being attached, then fexit, then lsm detached, then fexit detached. Both are kind==fexit and static_key stays enabled.
