On Thu, Jun 30, 2022 at 6:29 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote: > > > > > > > This discussion would probably be a lot shorter if this series were sent > > > with a proper explanation of how this supposed to work and what it's > > > used for. > > > > It's currently scoped to BPF LSM (albeit limited to LSM for now) > > but it won't just be used in LSM programs but some (allow-listed) > > tracing programs too. > > > > KP, > > Without taking sides in the discussion about the security aspect of > bpf_getxattr(), > I wanted to say that we have plans to add BPF hooks for fanotify event > filters and > AFAIK Alessio's team is working on adding BPF hooks for FUSE bypass decisions. > > In both those cases, being able to tag files with some xattr and use > that as part of > criteria in the hook would be very useful IMO, but I don't think that > it should be a > problem to limit the scope of the allowed namespace to security.bpf.* for these > use cases. Thanks Amir, I agree, this does seem like a practical way to move forward. Cheers, - KP > > Thanks, > Amir.