Skip to content

lua-lsm: add inode_setattr attributes#22

Open
chenzongyao200127 wants to merge 1 commit into
openanolis:lua-lsmfrom
chenzongyao200127:lua-lsm-inode-setattr
Open

lua-lsm: add inode_setattr attributes#22
chenzongyao200127 wants to merge 1 commit into
openanolis:lua-lsmfrom
chenzongyao200127:lua-lsm-inode-setattr

Conversation

@chenzongyao200127
Copy link
Copy Markdown
Collaborator

@chenzongyao200127 chenzongyao200127 commented May 19, 2026

Lua-LSM currently passes nil for the inode_setattr() attributes argument. Policy can see the target idmap and dentry, but cannot tell whether the operation is chmod, chown, truncate, a timestamp update, or another setattr request.

Translate the iattr payload into a Lua table. The table includes the valid mask, mode, uid, gid, size, timestamps, and boolean ATTR_* flags, with uid and gid converted through the mount idmap before they are exposed to Lua.

Example Lua policy:

return {
    name = "setattr-policy",
    author = "Zongyao Chen",
    license = "GPL",

    inode_setattr = function(idmap, dentry, attr)
        local path = dentry:path()

        if attr.size and path and path:match("^/var/log/") then
            return false, errno.EPERM
        end

        if attr.mode and path and path:match("^/etc/") then
            return false, errno.EPERM
        end

        if attr.uid == 0 or attr.gid == 0 then
            return false, errno.EPERM
        end

        return true
    end,
}

Validation:

  • ./scripts/checkpatch.pl --git origin/lua-lsm..lua-lsm-inode-setattr
  • git diff --check origin/lua-lsm..lua-lsm-inode-setattr

Signed-off-by: Zongyao Chen ZongYao.Chen@linux.alibaba.com

@chenzongyao200127
lua-lsm: add inode_setattr attributes
c15f982 
Lua-LSM passed nil for inode_setattr() attributes, so policy could
see the target dentry but not which metadata change was being requested.
That made chmod, chown, truncate, timestamp, and related setattr
operations indistinguishable.

Translate the iattr payload into a Lua table containing the valid mask,
mode, uid, gid, size, timestamps, and boolean ATTR_* flags. Convert uid
and gid through the supplied mount idmap before exposing them to Lua.

Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chenzongyao200127