On Fri, Mar 11, 2022 at 3:57 PM Luis Chamberlain <mcgrof@xxxxxxxxxx> wrote: > On Fri, Mar 11, 2022 at 01:47:51PM -0500, Paul Moore wrote: ... > > Similar to what was discussed above with respect to auditing, I think > > we need to do some extra work here to make it easier for a LSM to put > > the IO request in the proper context. We have io_uring_cmd::cmd_op > > via the @ioucmd parameter, which is good, but we need to be able to > > associate that with a driver to make sense of it. > > It may not always be a driver, it can be built-in stuff. Good point, but I believe the argument still applies. LSMs are going to need some way to put the cmd_op token in the proper context so that security policy can be properly enforced. -- paul-moore.com
