On 3/28/2024 8:38 AM, Dr. Greg wrote:

...

quoted

In Linux v6.8[1] only Smack and SELinux provide implementations for
the security_inode_init_security() hook, and both also increment the
associated lsm_blob_sizes::lbs_xattr_count field.  While the
behavior of the hook may have changed, I see no indications of any
harm with respect to the standard upstream Linux kernel.  We
obviously want to ensure that we work to fix harmful behavior, but I
simply don't see that here; convince me there is a problem, send me
a patch as we've discussed, and I'll merge it.

BPF provides an implementation and would be affected.

BPF has chosen to implement its LSM hooks their own way. As it is
impossible for the infrastructure developers to predict what the
behavior of those hooks may be, it is unreasonable to constrain
them based on hypothetical or rumored use cases.

The implementation of BPF precludes its use of LSM blobs that are
infrastructure managed. That ought to be obvious. BPF could include
a non-zero lbs_xattr_count just in case, and your problem would be
solved, but at a cost. 

Bear poking trimmed ...

[1] In Linux v6.9-rc1 this grows to include EVM, but EVM also provides
both a hook implementation and a lbs_xattr_count bump.
BPF initialization, as of 6.8 does not include an xattr request.

Just so. If BPF wants to use the aforementioned interface, it needs to
include an xattr request. Just like any other LSM.