On 2024/06/28 3:28, Paul Moore wrote: > It's also worth mentioning that while we always allocate i_security in > security_inode_alloc() right now, I can see a world where we allocate > the i_security field based on need using the lsm_blob_size info (maybe > that works today? not sure how kmem_cache handled 0 length blobs?). > The result is that there might be a legitimate case where i_security > is NULL, yet we still want to call into the LSM using the > inode_free_security() implementation hook. As a LKM-based LSM user, I don't like dependency on the lsm_blob_size info. Since LKM-based LSM users cannot use lsm_blob_size due to __ro_after_init, LKM-based LSM users depend on individual LSM hooks being called even if i_security is NULL. How do we provide hooks for AV/EDR which cannot be built into vmlinux (due to distributor's support policy) ? They cannot be benefited from infrastructure-managed security blobs.
