| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 08 Mar 2023 10:15:25 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...weicloud.com>,
viro@...iv.linux.org.uk, chuck.lever@...cle.com,
jlayton@...nel.org, dmitry.kasatkin@...il.com, paul@...l-moore.com,
jmorris@...ei.org, serge@...lyn.com, dhowells@...hat.com,
jarkko@...nel.org, stephen.smalley.work@...il.com,
eparis@...isplace.org, casey@...aufler-ca.com, brauner@...nel.org
Cc: linux-fsdevel@...r.kernel.org, linux-nfs@...r.kernel.org,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
selinux@...r.kernel.org, linux-kernel@...r.kernel.org,
stefanb@...ux.ibm.com, Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [PATCH 03/28] ima: Align ima_post_create_tmpfile() definition
with LSM infrastructure
Hi Roberto,
On Fri, 2023-03-03 at 19:18 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@...wei.com>
>
> Change ima_post_create_tmpfile() definition, so that it can be registered
> as implementation of the post_create_tmpfile hook.
Since neither security_create_tmpfile() nor
security_post_create_tmpfile() already exist, why not pass a pointer to
the file to conform to the other file related security hooks?
Mimi
>
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> ---
> fs/namei.c | 2 +-
> include/linux/ima.h | 7 +++++--
> security/integrity/ima/ima_main.c | 8 ++++++--
> 3 files changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index b5a1ec29193..57727a1ae38 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -3622,7 +3622,7 @@ static int vfs_tmpfile(struct mnt_idmap *idmap,
> inode->i_state |= I_LINKABLE;
> spin_unlock(&inode->i_lock);
> }
> - ima_post_create_tmpfile(idmap, inode);
> + ima_post_create_tmpfile(idmap, dir, file_dentry(file), mode);
> return 0;
> }
>
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 179ce52013b..7535686a403 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -19,7 +19,8 @@ extern enum hash_algo ima_get_current_hash_algo(void);
> extern int ima_bprm_check(struct linux_binprm *bprm);
> extern int ima_file_check(struct file *file, int mask);
> extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> - struct inode *inode);
> + struct inode *dir, struct dentry *dentry,
> + umode_t mode);
> extern void ima_file_free(struct file *file);
> extern int ima_file_mmap(struct file *file, unsigned long reqprot,
> unsigned long prot, unsigned long flags);
> @@ -69,7 +70,9 @@ static inline int ima_file_check(struct file *file, int mask)
> }
>
> static inline void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> - struct inode *inode)
> + struct inode *dir,
> + struct dentry *dentry,
> + umode_t mode)
> {
> }
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 8941305376b..4a3d0c8bcba 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -659,16 +659,20 @@ EXPORT_SYMBOL_GPL(ima_inode_hash);
> /**
> * ima_post_create_tmpfile - mark newly created tmpfile as new
> * @idmap: idmap of the mount the inode was found from
> - * @inode: inode of the newly created tmpfile
> + * @dir: inode structure of the parent of the new file
> + * @dentry: dentry structure of the new file
> + * @mode: mode of the new file
> *
> * No measuring, appraising or auditing of newly created tmpfiles is needed.
> * Skip calling process_measurement(), but indicate which newly, created
> * tmpfiles are in policy.
> */
> void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> - struct inode *inode)
> + struct inode *dir, struct dentry *dentry,
> + umode_t mode)
> {
> struct integrity_iint_cache *iint;
> + struct inode *inode = dentry->d_inode;
> int must_appraise;
>
> if (!ima_policy_flag || !S_ISREG(inode->i_mode))
Powered by blists - more mailing lists