| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 09 Mar 2023 10:11:36 +0100
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: Mimi Zohar <zohar@...ux.ibm.com>, viro@...iv.linux.org.uk,
chuck.lever@...cle.com, jlayton@...nel.org,
dmitry.kasatkin@...il.com, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, dhowells@...hat.com, jarkko@...nel.org,
stephen.smalley.work@...il.com, eparis@...isplace.org,
casey@...aufler-ca.com, brauner@...nel.org
Cc: linux-fsdevel@...r.kernel.org, linux-nfs@...r.kernel.org,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
selinux@...r.kernel.org, linux-kernel@...r.kernel.org,
stefanb@...ux.ibm.com, Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [PATCH 03/28] ima: Align ima_post_create_tmpfile() definition
with LSM infrastructure
On Wed, 2023-03-08 at 10:15 -0500, Mimi Zohar wrote:
> Hi Roberto,
>
> On Fri, 2023-03-03 at 19:18 +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@...wei.com>
> >
> > Change ima_post_create_tmpfile() definition, so that it can be registered
> > as implementation of the post_create_tmpfile hook.
>
> Since neither security_create_tmpfile() nor
> security_post_create_tmpfile() already exist, why not pass a pointer to
> the file to conform to the other file related security hooks?
Ok, will change the parameter.
Thanks
Roberto
> Mimi
>
> > Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> > ---
> > fs/namei.c | 2 +-
> > include/linux/ima.h | 7 +++++--
> > security/integrity/ima/ima_main.c | 8 ++++++--
> > 3 files changed, 12 insertions(+), 5 deletions(-)
> >
> > diff --git a/fs/namei.c b/fs/namei.c
> > index b5a1ec29193..57727a1ae38 100644
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -3622,7 +3622,7 @@ static int vfs_tmpfile(struct mnt_idmap *idmap,
> > inode->i_state |= I_LINKABLE;
> > spin_unlock(&inode->i_lock);
> > }
> > - ima_post_create_tmpfile(idmap, inode);
> > + ima_post_create_tmpfile(idmap, dir, file_dentry(file), mode);
> > return 0;
> > }
> >
> > diff --git a/include/linux/ima.h b/include/linux/ima.h
> > index 179ce52013b..7535686a403 100644
> > --- a/include/linux/ima.h
> > +++ b/include/linux/ima.h
> > @@ -19,7 +19,8 @@ extern enum hash_algo ima_get_current_hash_algo(void);
> > extern int ima_bprm_check(struct linux_binprm *bprm);
> > extern int ima_file_check(struct file *file, int mask);
> > extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> > - struct inode *inode);
> > + struct inode *dir, struct dentry *dentry,
> > + umode_t mode);
> > extern void ima_file_free(struct file *file);
> > extern int ima_file_mmap(struct file *file, unsigned long reqprot,
> > unsigned long prot, unsigned long flags);
> > @@ -69,7 +70,9 @@ static inline int ima_file_check(struct file *file, int mask)
> > }
> >
> > static inline void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> > - struct inode *inode)
> > + struct inode *dir,
> > + struct dentry *dentry,
> > + umode_t mode)
> > {
> > }
> >
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index 8941305376b..4a3d0c8bcba 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -659,16 +659,20 @@ EXPORT_SYMBOL_GPL(ima_inode_hash);
> > /**
> > * ima_post_create_tmpfile - mark newly created tmpfile as new
> > * @idmap: idmap of the mount the inode was found from
> > - * @inode: inode of the newly created tmpfile
> > + * @dir: inode structure of the parent of the new file
> > + * @dentry: dentry structure of the new file
> > + * @mode: mode of the new file
> > *
> > * No measuring, appraising or auditing of newly created tmpfiles is needed.
> > * Skip calling process_measurement(), but indicate which newly, created
> > * tmpfiles are in policy.
> > */
> > void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> > - struct inode *inode)
> > + struct inode *dir, struct dentry *dentry,
> > + umode_t mode)
> > {
> > struct integrity_iint_cache *iint;
> > + struct inode *inode = dentry->d_inode;
> > int must_appraise;
> >
> > if (!ima_policy_flag || !S_ISREG(inode->i_mode))
Powered by blists - more mailing lists