I'd like to clarify my stance on inode_permission a bit. In this implementation what they want to do would be needed. However something that wasn't captured since Val and I had a brief exchange offlist was that I believe that her proposed implementation is superior to pushing the dentry into inode_permission. She had a new function called path_permission. With the inclusion of the path based hooks in the LSM framework I think if you want to add anything that will be checking permissions based on path we've decided that it should be its own check. That's why adding a path_permission check at the appropriate points in the vfs is a superior situation to pushing the dentry down into the inode operation.