On Mon, Dec 07, 2020 at 09:22:13AM -0800, Casey Schaufler wrote: > Only security modules should ever look at what's in the security blob. > In fact, you can't assume that the presence of a security blob > (i.e. ...->s_security != NULL) implies "need_xattr", or any other > state for the superblock. Maybe "strongly suggests that an xattr will be added" is the better wording. > > >> or whether there is some other way of knowing ahead > >> of time that a security xattr is going to be created. I couldn't > >> find one, but that doesn't mean such an interface doesn't exist in > >> all the twisty passages of the LSM layers... > > I've added the relevant list, maybe someone there has an opinion. > > How is what you're looking for different from security_ismaclabel() ? Not at all. What this needs is a guestimate (which doesn't have to be 100% reliable) that a new inode created by ->create, ->mknod, or ->mkdir will have an xattr set on it during the creation syscall.
