On Fri, 2018-11-16 at 12:43 -0500, Theodore Y. Ts'o wrote: +AD4 I'd argue that a purpose-built eBPF access control facility is +AD4 superior to the security+AF8-file+AF8-ioctl() LSM hook because it can make +AD4 available to the authorization function access to the cached results +AD4 of the SCSI INQUIRY command, and it avoids needing to duplicate +AD4 knowledge of how to parse the parameters of the SG+AF8-IO ioctl in the LSM +AD4 module as well as in the SCSI stack. If an eBPF program would decide which SG+AF8-IO commands will be executed and which ones not, does that mean that a SCSI parser would have to be implemented in eBPF? If so, does that mean that both the eBPF and the LSM approach share the disadvantage of requiring to do SCSI CDB parsing outside the SCSI core? Bart.