On 12/3/2020 11:54 PM, Christoph Hellwig wrote: > On Fri, Dec 04, 2020 at 08:44:26AM +1100, Dave Chinner wrote: >>>> + if ((IS_ENABLED(CONFIG_SECURITY) && dir->i_sb->s_security) || >>>> + default_acl || acl) >>>> + need_xattr = true; >>>> + >>>> + error = xfs_create(XFS_I(dir), &name, mode, rdev, >>>> + need_xattr, &ip); >>> It might be wort to factor the condition into a little helper. Also >>> I think we also have security labels for O_TMPFILE inodes, so it might >>> be worth plugging into that path as well. >> Yeah, a helper is a good idea - I just wanted to get some feedback >> first on whether it's a good idea to peek directly at >> i_sb->s_security Only security modules should ever look at what's in the security blob. In fact, you can't assume that the presence of a security blob (i.e. ...->s_security != NULL) implies "need_xattr", or any other state for the superblock. >> or whether there is some other way of knowing ahead >> of time that a security xattr is going to be created. I couldn't >> find one, but that doesn't mean such an interface doesn't exist in >> all the twisty passages of the LSM layers... > I've added the relevant list, maybe someone there has an opinion. How is what you're looking for different from security_ismaclabel() ?
