On Thu, Dec 22, 2016 at 12:15:06AM +0100, Mickaël Salaün wrote: > Add a new LSM hook named inode_touch_atime which is needed to deny > indirect update of extended file attributes (i.e. access time) which are > not catched by the inode_setattr hook. By creating a new hook instead of > calling inode_setattr, we avoid to simulate a useless struct iattr. > > This hook allows to create read-only environments as with read-only > mount points. It can also take care of anonymous inodes.
And LSM has absolutely no business doing that - that's what the mount code is for.
