lsm sb_delete hook, was Re: [PATCH 4/7] vfs: Convert sb->s_inodes iteration to super_iter_inodes()
Christoph Hellwig
hch at infradead.org
Thu Oct 3 07:38:05 UTC 2024
On Thu, Oct 03, 2024 at 12:23:41AM -0700, Christoph Hellwig wrote:
> On Wed, Oct 02, 2024 at 11:33:21AM +1000, Dave Chinner wrote:
> > --- a/security/landlock/fs.c
> > +++ b/security/landlock/fs.c
> > @@ -1223,109 +1223,60 @@ static void hook_inode_free_security_rcu(void *inode_security)
> >
> > /*
> > * Release the inodes used in a security policy.
> > - *
> > - * Cf. fsnotify_unmount_inodes() and invalidate_inodes()
> > */
> > +static int release_inode_fn(struct inode *inode, void *data)
>
> Looks like this is called from the sb_delete LSM hook, which
> is only implemented by landlock, and only called from
> generic_shutdown_super, separated from evict_inodes only by call
> to fsnotify_sb_delete. Why did LSM not hook into that and instead
An the main thing that fsnotify_sb_delete does is yet another inode
iteration..
Ay chance you all could get together an figure out how to get down
to a single sb inode iteration per unmount?
More information about the Linux-security-module-archive
mailing list