On Fri, Sep 23, 2022 at 08:47:07AM +0200, Christoph Hellwig wrote: > On Thu, Sep 22, 2022 at 01:16:57PM -0400, Paul Moore wrote: > > properly review the changes, but one thing immediately jumped out at > > me when looking at this: why is the LSM hook > > "security_inode_set_acl()" when we are passing a dentry instead of an > > inode? We don't have a lot of them, but there are > > `security_dentry_*()` LSM hooks in the existing kernel code. > > I'm no LSM expert, but isn't the inode vs dentry for if it is > related to an inode operation or dentry operation, not about that > the first argument is? Indeed. For example, void security_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return; call_void_hook(inode_post_setxattr, dentry, name, value, size, flags); evm_inode_post_setxattr(dentry, name, value, size); } int security_inode_getxattr(struct dentry *dentry, const char *name) { if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; return call_int_hook(inode_getxattr, 0, dentry, name); } int security_inode_listxattr(struct dentry *dentry) { if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; return call_int_hook(inode_listxattr, 0, dentry); }