On Mon, May 04, 2026 at 06:33:45PM -0400, Paul Moore wrote: > On Fri, Apr 24, 2026 at 6:13 PM Jason Gunthorpe <[email protected]> wrote: > > > > ... I wonder if we are even speaking the same language. > > Let's reset the conversation. > > As I understand it, based on our discussion in this thread and Leon's > previous patchsets, the basic idea is to enable LSMs to enforce access > control over fwctl requests/commands sent from userspace. I'm going > to start with that as a basis.
Yes, we proposed two users: FWCTL and RDMA DevX. Both are relevant, but FWCTL is the higher priority. > > Using the kernel's docs on fwctl, the userspace API appears to consist > mostly of ioctls with some basic sysfs interfaces. It looks like we > can mostly ignore the sysfs interface and focus on the ioctl side of > the API, do you agree? Yes, all FW commands are routed through ioctls. > > https://docs.kernel.org/userspace-api/fwctl/fwctl.html > > While normally I would suggest simply using the existing > security_file_ioctl() hook, Leon previously mentioned that the hook is > too early for fwctl as the userspace copy happens much later. I talked about general verbs interface in RDMA. Thanks
