On Fri, Feb 21, 2025 at 10:59 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>
> The NFS4 security label code does not support multiple labels, and
> is intentionally unaware of which LSM is providing them. It is also
> the case that currently only one LSM that use security contexts is
> permitted to be active, as enforced by LSM_FLAG_EXCLUSIVE. Any LSM
> that receives a release_secctx that is not explicitly designated as
> for another LSM can safely carry out the release process. The NFS4
> code identifies the lsm_context as LSM_ID_UNDEF, so allowing the
> called LSM to perform the release is safe. Additional sophistication
> will be required when context using LSMs are allowed to be used
> together.
>
> Fixes: b530104f50e8 ("lsm: lsm_context in security_dentry_init_security")
> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> ---
> security/apparmor/secid.c | 2 +-
> security/selinux/hooks.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
I'm sorry Casey, but Stephen's patch seems like a much better approach to me.
https://lore.kernel.org/linux-security-module/20250220192935.9014-2-stephen.smalley.work@xxxxxxxxx/
--
paul-moore.com
