On Wed, Mar 5, 2025 at 8:12 AM Paul Moore [off-list ref] wrote:

On Tue, Mar 4, 2025 at 10:32 PM Song Liu [off-list ref] wrote:

quoted

On Tue, Mar 4, 2025 at 6:14 PM Paul Moore [off-list ref] wrote:

quoted

On Tue, Mar 4, 2025 at 8:26 PM Blaise Boscaccy
[off-list ref] wrote:

quoted

Paul Moore [off-list ref] writes:

quoted

On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
[off-list ref] wrote:

...

quoted

Do we need this in the LSM tree before the upcoming merge window?
If not, we would prefer to carry it in bpf-next.

As long as we can send this up to Linus during the upcoming merge
window I'll be happy; if you feel strongly and want to take it via the
BPF tree, that's fine by me.  I'm currently helping someone draft a
patchset to implement the LSM/SELinux access control LSM callbacks for
the BPF tokens and I'm also working on a fix for the LSM framework
initialization code, both efforts may land in a development tree
during the next dev cycle and may cause a merge conflict with Blaise's
changes.  Not that a merge conflict is a terrible thing that we can't
work around, but if we can avoid it I'd be much happier :)

Please do make the /is_kernel/kernel/ change I mentioned in patch 1/2,
and feel free to keep my ACK from this patchset revision.

My preference is to go via bpf-next, since changes are bigger
on bpf side than on lsm side.

Re: selftest.

Why change them at all if 'bool kernel' attribute is unused ?
Addition of the attr should be backward compatible change,
so all tests should still pass as-is.

You probably should add a new test where 'kernel' arg is actually
used for something. That would be patch 2.