Re: [PATCH v6 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes

[PATCH v6 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes · Roberto Sassu <hidden> · 2022-11-23
[PATCH v6 1/6] reiserfs: Switch to security_inode_init_security() · Roberto Sassu <hidden> · 2022-11-23
[PATCH v6 2/6] ocfs2: Switch to security_inode_init_security() · Roberto Sassu <hidden> · 2022-11-23
[PATCH v6 3/6] security: Remove security_old_inode_init_security() · Roberto Sassu <hidden> · 2022-11-23
[PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook · Roberto Sassu <hidden> · 2022-11-23
Re: [PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook · Casey Schaufler <casey@schaufler-ca.com> · 2022-11-23
Re: [PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook · Roberto Sassu <hidden> · 2022-11-24
Re: [PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook · Mimi Zohar <zohar@linux.ibm.com> · 2022-11-24
Re: [PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook · Roberto Sassu <hidden> · 2022-11-24
Re: [PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook · Mimi Zohar <zohar@linux.ibm.com> · 2022-11-29
Re: [PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook · Casey Schaufler <casey@schaufler-ca.com> · 2022-11-29
Re: [PATCH v6 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook · Mimi Zohar <zohar@linux.ibm.com> · 2022-11-30
[PATCH v6 5/6] evm: Align evm_inode_init_security() definition with LSM infrastructure · Roberto Sassu <hidden> · 2022-11-23
[PATCH v6 6/6] evm: Support multiple LSMs providing an xattr · Roberto Sassu <hidden> · 2022-11-23
Re: [PATCH v6 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes · Mimi Zohar <zohar@linux.ibm.com> · 2022-11-23
Re: [PATCH v6 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes · Casey Schaufler <casey@schaufler-ca.com> · 2022-11-23

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2022-11-23 16:23:43
Also in: linux-integrity, lkml, ocfs2-devel, selinux

Hi Roberto,

On Wed, 2022-11-23 at 16:47 +0100, Roberto Sassu wrote:

The second problem this patch set addresses is the limitation of the
call_int_hook() of stopping the loop when the return value from a hook
implementation is not zero. Unfortunately, for the inode_init_security hook
it is a legitimate case to return -EOPNOTSUPP, but this would not
necessarily mean that there is an error to report to the LSM infrastructure
but just that an LSM does not will to set an xattr. Other LSMs should be
still consulted as well.

This is just a heads up.  In reviewing the ocfs2 v5 patch, I realized
the meaning of -EOPNOTSUPP is being overloaded to mean multiple things.
Originally, -EOPNOTSUPP meant that the file system didn't implement
xattr support.  Now, it is being used to also mean no LSM xattr.  In
the former case, none of the LSM xattrs would be written.  In the
latter case, some of them will be written.

I'm not convinced that overloading the -EOPNOTSUPP is a good idea.  
Still reviewing the patch set...

-- 
thanks,

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help