| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e1c2d34acb37d85e94af15ca1edd162e1e7f9a2a.camel@linux.ibm.com>
Date: Wed, 13 Oct 2021 11:45:01 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA
[CC'ing Casey]
On Wed, 2021-10-13 at 17:26 +0200, Mickaël Salaün wrote:
> Nice!
>
> On 13/10/2021 13:01, Mimi Zohar wrote:
> > Extend the trusted_for syscall to call the newly defined
> > ima_trusted_for hook.
> >
> > Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
> > ---
> > fs/open.c | 3 +++
> > include/linux/ima.h | 9 +++++++++
> > 2 files changed, 12 insertions(+)
> >
> > diff --git a/fs/open.c b/fs/open.c
> > index c79c138a638c..4d54e2a727e1 100644
> > --- a/fs/open.c
> > +++ b/fs/open.c
> > @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
> > err = inode_permission(file_mnt_user_ns(f.file), inode,
> > mask | MAY_ACCESS);
> >
> > + if (!err)
> > + err = ima_trusted_for(f.file, usage);
>
> Could you please implement a new LSM hook instead? Other LSMs may want
> to use this information as well.
Casey normally pushes back on my defining a new LSM hook, when IMA is
the only user. If any of the LSM maintainers are planning on defining
this hook, please chime in.
thanks,
Mimi
Powered by blists - more mailing lists