Re: [PATCH v6 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes

From: Mimi Zohar
Date: Wed Nov 23 2022 - 11:23:44 EST


Hi Roberto,

On Wed, 2022-11-23 at 16:47 +0100, Roberto Sassu wrote:
> The second problem this patch set addresses is the limitation of the
> call_int_hook() of stopping the loop when the return value from a hook
> implementation is not zero. Unfortunately, for the inode_init_security hook
> it is a legitimate case to return -EOPNOTSUPP, but this would not
> necessarily mean that there is an error to report to the LSM infrastructure
> but just that an LSM does not will to set an xattr. Other LSMs should be
> still consulted as well.

This is just a heads up. In reviewing the ocfs2 v5 patch, I realized
the meaning of -EOPNOTSUPP is being overloaded to mean multiple things.
Originally, -EOPNOTSUPP meant that the file system didn't implement
xattr support. Now, it is being used to also mean no LSM xattr. In
the former case, none of the LSM xattrs would be written. In the
latter case, some of them will be written.

I'm not convinced that overloading the -EOPNOTSUPP is a good idea.
Still reviewing the patch set...

--
thanks,

Mimi