To see if we can try and make progress on this, can we try and come at this from another angle: what do LSMs *actually* need to do this? And I grant that each LSM might require different things. -~- [A] There are a bunch of things available, some of which may be coincident, depending on the context: (1) The creds of the process that created a watch_queue (ie. opened /dev/watch_queue). (2) The creds of the process that set a watch (ie. called watch_sb, KEYCTL_NOTIFY, ...); (3) The creds of the process that tripped the event (which might be the system). (4) The security attributes of the object on which the watch was set (uid, gid, mode, labels). (5) The security attributes of the object on which the event was tripped. (6) The security attributes of all the objects between the object in (5) and the object in (4), assuming we work from (5) towards (4) if the two aren't coincident (WATCH_INFO_RECURSIVE). At the moment, when post_one_notification() wants to write a notification into a queue, it calls security_post_notification() to ask if it should be allowed to do so. This is passed (1) and (3) above plus the notification record. [B] There are a number of places I can usefully potentially add hooks: (a) The point at which a watch queue is created (ie. /dev/watch_queue is opened). (b) The point at which a watch is set (ie. watch_sb). (c) The point at which a notification is generated (ie. an automount point is tripped). (d) The point at which a notification is delivered (ie. we write the message into the queue). (e) All the points at which we walk over an object in a chain from (c) to find the watch on which we can effect (d) (eg. we walk rootwards from a mountpoint to find watches on a branch in the mount topology). [C] Problems that need to be resolved: (x) Do I need to put a security pointer in struct watch for the active LSM to fill in? If so, I presume this would need passing to security_post_notification(). (y) What checks should be done on object destruction after final put and what contexts need to be supplied? This one is made all the harder because the creds that are in force when close(), exit(), exec(), dup2(), etc. close a file descriptor might need to be propagated to deferred-fput, which must in turn propagate them to af_unix-cleanup, and thence back to deferred-fput and thence to implicit unmount (dissolve_on_fput()[*]). [*] Though it should be noted that if this happens, the subtree cannot be attached to the root of a namespace. Further, if several processes are sharing a file object, it's not predictable as to which process the final notification will come from. (z) Do intermediate objects, say in a mount topology notification, actually need to be checked against the watcher's creds? For a mount topology notification, would this require calling inode_permission() for each intervening directory? Doing that might be impractical as it would probably have to be done outside of of the RCU read lock and the filesystem ->permission() hooks might want to sleep (to touch disk or talk to a server). David