On Tue, Jul 7, 2026 at 11:12 PM Kumar Kartikeya Dwivedi <[email protected]> wrote: > > On Wed Jul 8, 2026 at 2:09 AM CEST, David Windsor wrote: > > Many in-kernel LSMs (SELinux, Smack, IMA) store security labels in > > extended attributes. For these LSMs, atomic labeling during inode > > creation is critical: if the inode becomes accessible before its xattr > > is set, it is briefly unlabeled, which can disrupt LSMs making policy > > decisions based on file labels. > > > > Existing LSMs solve this by setting xattrs directly in the > > inode_init_security hook, which runs before the inode becomes > > accessible. BPF LSM programs currently lack this capability because > > the hook uses an output parameter (xattr_count) that BPF programs > > cannot write to, and existing kfuncs like bpf_set_dentry_xattr > > require a dentry that isn't available until after the inode is > > accessible. > > > > This series introduces the bpf_init_inode_xattr() kfunc, which takes > > the combined inode_init_security xattr context argument and claims a > > slot in it via the new security_lsmxattr_add() LSM helper. > > > > There are various CI failures in newly added tests, I don't think any of them > are passing. Please fix before respinning. > > https://github.com/kernel-patches/bpf/pull/12730 > > E.g. both test_init_inode_xattr and test_init_inode_xattr_slot do not have > expected results. >
This is happening because the path "/tmp" in bpf ci isn't mounted on tmpfs, rather on 9p: [ 5.813072] VFS: Mounted root (9p filesystem) on device 0:22. [ 5.924390] vmtest: Mounting tmpfs at /dev/shm [ 5.971012] vmtest: Mounting tmpfs at /run [ 6.096271] vmtest: Mounting tmpfs at /mnt ... which doesn't call inode_init_security. Changing the test to create its file in /dev/shm, which has a real tmpfs, fixes this. We can update the test to skip on filesystems where the hook doesn't fire. I'll wait to gather feedback from Alexei and Paul before sending v6. > pw-bot: cr > > > [...]

