On Fri, Jun 10, 2022 at 4:49 PM KP Singh <kpsingh@xxxxxxxxxx> wrote: > > > > > In order to reliably fix this issue and also allow LSM Hooks and BPF > > > programs which implement hook logic to choose to not make a decision > > > in certain conditions (e.g. when BPF programs are used for auditing), > > > introduce a special return value LSM_HOOK_NO_EFFECT which can be used > > > by the hook to indicate to the framework that it does not intend to > > > make a decision. > > > > The LSM infrastructure already has a convention of returning > > -EOPNOTSUPP for this condition. Why add another value to check?' > > This is not the case in call_int_hook currently. > > If we can update the LSM infra to imply that -EOPNOTSUPP means > that the hook iteration can continue as that implies "no decision" > this would be okay as well. Agree that it's cleaner to use existing code like EOPNOTSUPP to indicate 'ignore this lsm'. Folks, reminder, please trim your replies.
