[$] XFS, LSM, and low-level management APIs
The Linux Security Module (LSM) subsystem allows securitymodules to hook into many low-level operations within the kernel; modulescan use those hooks to examine each requested operation and decide whetherit should be allowed to proceed or not. In theory, just about everylow-level operation is covered by an LSM hook; in practice, there are somegaps. A discussion regarding one of those gaps - low-levelioctl() operations on XFS filesystems - has revealed a thornyproblem and a significant difference of opinion on what the correctsolution is.