[PATCH 0/3] Firmware LSM hook
Leon Romanovsky
leon at kernel.org
Tue Mar 10 17:57:59 UTC 2026
On Tue, Mar 10, 2026 at 12:29:40PM -0400, Stephen Smalley wrote:
> On Tue, Mar 10, 2026 at 5:14 AM Leon Romanovsky <leon at kernel.org> wrote:
> > 1140 MLX5_SET(general_obj_in_cmd_hdr, cmd_in, uid, uid);
> > 1141 err = security_fw_validate_cmd(cmd_in, cmd_in_len, &dev->ib_dev.dev,
> > 1142 FW_CMD_CLASS_UVERBS, RDMA_DRIVER_MLX5);
> > 1143 if (err)
> > 1144 return err;
> > 1145
> > 1146 err = mlx5_cmd_do(dev->mdev, cmd_in, cmd_in_len, cmd_out, cmd_out_len);
> >
> > Could you point me to the LSM that would be best suited for performing
> > checks of this kind?
>
> If you just want to filter on opcodes, then the SELinux extended
> permissions (xperms) support may suffice, see:
> https://blog.siphos.be/2017/11/selinux-and-extended-permissions/
> https://kernsec.org/files/lss2015/vanderstoep.pdf
> https://github.com/SELinuxProject/selinux-notebook/blob/main/src/xperm_rules.md
>
> This was originally added to SELinux to support filtering ioctl
> commands and later extended to netlink as well.
>
> If you truly need/want filtering of arbitrary variable-length command
> buffers.
Yes. The opcode alone is not sufficient for any real‑world use.
It is not reliable because different firmware versions place different
parameters into the same mailbox entry under the same opcode.
Without inspecting the mailbox contents, you cannot properly filter them.
Thanks
More information about the Linux-security-module-archive
mailing list