[PATCH v2 0/4] Firmware LSM hook
Leon Romanovsky
leon at kernel.org
Tue May 12 08:51:18 UTC 2026
On Mon, May 04, 2026 at 06:33:45PM -0400, Paul Moore wrote:
> On Fri, Apr 24, 2026 at 6:13 PM Jason Gunthorpe <jgg at ziepe.ca> wrote:
> >
> > ... I wonder if we are even speaking the same language.
>
> Let's reset the conversation.
>
> As I understand it, based on our discussion in this thread and Leon's
> previous patchsets, the basic idea is to enable LSMs to enforce access
> control over fwctl requests/commands sent from userspace. I'm going
> to start with that as a basis.
Yes, we proposed two users: FWCTL and RDMA DevX. Both are relevant, but
FWCTL is the higher priority.
>
> Using the kernel's docs on fwctl, the userspace API appears to consist
> mostly of ioctls with some basic sysfs interfaces. It looks like we
> can mostly ignore the sysfs interface and focus on the ioctl side of
> the API, do you agree?
Yes, all FW commands are routed through ioctls.
>
> https://docs.kernel.org/userspace-api/fwctl/fwctl.html
>
> While normally I would suggest simply using the existing
> security_file_ioctl() hook, Leon previously mentioned that the hook is
> too early for fwctl as the userspace copy happens much later.
I talked about general verbs interface in RDMA.
Thanks
More information about the Linux-security-module-archive
mailing list