On Fri, Sep 23, 2022 at 08:47:07AM +0200, Christoph Hellwig wrote:
> On Thu, Sep 22, 2022 at 01:16:57PM -0400, Paul Moore wrote:
> > properly review the changes, but one thing immediately jumped out at
> > me when looking at this: why is the LSM hook
> > "security_inode_set_acl()" when we are passing a dentry instead of an
> > inode? We don't have a lot of them, but there are
> > `security_dentry_*()` LSM hooks in the existing kernel code.
>
> I'm no LSM expert, but isn't the inode vs dentry for if it is
> related to an inode operation or dentry operation, not about that
> the first argument is?
Indeed. For example,
void security_inode_post_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
return;
call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
evm_inode_post_setxattr(dentry, name, value, size);
}
int security_inode_getxattr(struct dentry *dentry, const char *name)
{
if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
return 0;
return call_int_hook(inode_getxattr, 0, dentry, name);
}
int security_inode_listxattr(struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
return 0;
return call_int_hook(inode_listxattr, 0, dentry);
}
