[PATCH 0/3] Firmware LSM hook
Stephen Smalley
stephen.smalley.work at gmail.com
Tue Mar 10 16:29:40 UTC 2026
On Tue, Mar 10, 2026 at 5:14 AM Leon Romanovsky <leon at kernel.org> wrote:
> 1140 MLX5_SET(general_obj_in_cmd_hdr, cmd_in, uid, uid);
> 1141 err = security_fw_validate_cmd(cmd_in, cmd_in_len, &dev->ib_dev.dev,
> 1142 FW_CMD_CLASS_UVERBS, RDMA_DRIVER_MLX5);
> 1143 if (err)
> 1144 return err;
> 1145
> 1146 err = mlx5_cmd_do(dev->mdev, cmd_in, cmd_in_len, cmd_out, cmd_out_len);
>
> Could you point me to the LSM that would be best suited for performing
> checks of this kind?
If you just want to filter on opcodes, then the SELinux extended
permissions (xperms) support may suffice, see:
https://blog.siphos.be/2017/11/selinux-and-extended-permissions/
https://kernsec.org/files/lss2015/vanderstoep.pdf
https://github.com/SELinuxProject/selinux-notebook/blob/main/src/xperm_rules.md
This was originally added to SELinux to support filtering ioctl
commands and later extended to netlink as well.
If you truly need/want filtering of arbitrary variable-length command
buffers, then I'm not sure any LSM does that today.
Might be best suited to Landlock but not sure even of that one.
More information about the Linux-security-module-archive
mailing list