[PATCH] LSM: check if lsmprop_to_secctx call is supported by LSM

[Casey Schaufler]

On 6/19/2026 10:19 AM, Sebastian Bockholt wrote:
> In include/linux/lsm_hook_defs.h, lsmprop_to_secctx is defined with
> a default return value of -EOPNOTSUPP.
> The function bpf_lsm_lsmprop_to_secctx, defined in
> security/bpf/hooks.c, returns the hook's default value. Therefore,
> directly returning the result of the bpf_lsm_lsmprop_to_secctx call
> propagates an unchecked EOPNOTSUPP error.

If the BPF LSM (the BPF LSM infrastructure, not the eBPF programs)
is going to support security contexts you need to mark it
LSM_FLAGS_EXCLUSIVE. Sorry, but the work to support multiple LSMs
that use security contexts is not progressing at a brisk pace.
Until then your choices are:

	- Make the BPF LSM exclusive
	- Do not use any of the security context or secid based hooks

If you want to help with the multiple LSM support, there's still
plenty of work to do. Let me know.

>
> Signed-off-by: Sebastian Bockholt <sebastian.bockholt at bevuta.com>
> ---
>  security/security.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/security/security.c b/security/security.c
> index 71aea8fdf014..9c63699d45fc 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -3954,12 +3954,16 @@ EXPORT_SYMBOL(security_secid_to_secctx);
>  int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
>  			       int lsmid)
>  {
> +	int error;
>  	struct lsm_static_call *scall;
>  
>  	lsm_for_each_hook(scall, lsmprop_to_secctx) {
>  		if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id)
>  			continue;
> -		return scall->hl->hook.lsmprop_to_secctx(prop, cp);
> +		error = scall->hl->hook.lsmprop_to_secctx(prop, cp);
> +		if (error == -EOPNOTSUPP)
> +			continue;
> +		return error;
>  	}
>  	return LSM_RET_DEFAULT(lsmprop_to_secctx);
>  }