[PATCH v7 4/5] bpf: Only enable BPF LSM hooks when an LSM program is attached

Fri Nov 10 22:19:55 UTC 2023

[...]

> > @@ -110,11 +110,14 @@ struct lsm_id {
> >   * @scalls: The beginning of the array of static calls assigned to this hook.
> >   * @hook: The callback for the hook.
> >   * @lsm: The name of the lsm that owns this hook.
> > + * @default_state: The state of the LSM hook when initialized. If set to false,
> > + * the static key guarding the hook will be set to disabled.
> >   */
> >  struct security_hook_list {
> >         struct lsm_static_call  *scalls;
> >         union security_list_options     hook;
> >         const struct lsm_id             *lsmid;
> > +       bool                            default_state;
>
> minor nit: "default_state" would make more sense if it would be some
> enum instead of bool. But given it's true/false, default_enabled makes
> more sense.

Agreed.

>
> >  } __randomize_layout;
> >
> >  /*
>

[...]

> > +
> > +void bpf_lsm_toggle_hook(void *addr, bool value)
>
> another minor nit: similar to above, s/value/enable/ reads nicer
>

Fixed.