10 Apr
2025
10 Apr
'25
2:23 p.m.
On Thu, Apr 10, 2025 at 06:53:15AM -0700, Ackerley Tng wrote:
So why do other alloc_anon_inode callers not need security_inode_init_security_anon?
Thanks for this tip!
When I did this refactoring, I was just refactoring anon_inode_create_getfile(), to set up the guest_memfd inode and file in separate stages, and anon_inode_create_getfile() was already using security_inode_init_security_anon().
In the next revision I can remove this call.
Is it too late to remove the call to security_inode_init_security_anon() though? IIUC it is used by LSMs, which means security modules may already be assuming this call?
I'd really like to here from the security folks if we need it or not, both in this case and for other alloc_anon_inode callers.