| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Oct 2023 10:26:26 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...weicloud.com>,
viro@...iv.linux.org.uk, brauner@...nel.org,
chuck.lever@...cle.com, jlayton@...nel.org, neilb@...e.de,
kolga@...app.com, Dai.Ngo@...cle.com, tom@...pey.com,
dmitry.kasatkin@...il.com, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, dhowells@...hat.com, jarkko@...nel.org,
stephen.smalley.work@...il.com, eparis@...isplace.org,
casey@...aufler-ca.com
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-nfs@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
selinux@...r.kernel.org, Roberto Sassu <roberto.sassu@...wei.com>,
Stefan Berger <stefanb@...ux.ibm.com>
Subject: Re: [PATCH v3 01/25] ima: Align ima_inode_post_setattr() definition
with LSM infrastructure
On Mon, 2023-09-04 at 15:33 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@...wei.com>
>
> Change ima_inode_post_setattr() definition, so that it can be registered as
> implementation of the inode_post_setattr hook.
Please indicate inode_post_settattr() is a new hook. In general it
should be stated on first usage. In 02/25 the wording "(to be
introduced)" is used, but not on first usage. Please add "(to be
introduced)" after inode_post_setattr.
Adding a new security hook argument would be to support both IMA and
EVM, which have different options.
Mimi
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> Reviewed-by: Stefan Berger <stefanb@...ux.ibm.com>
> ---
> fs/attr.c | 2 +-
> include/linux/ima.h | 4 ++--
> security/integrity/ima/ima_appraise.c | 3 ++-
> 3 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/fs/attr.c b/fs/attr.c
> index d60dc1edb526..7d4553c1208d 100644
> --- a/fs/attr.c
> +++ b/fs/attr.c
> @@ -486,7 +486,7 @@ int notify_change(struct mnt_idmap *idmap, struct dentry *dentry,
>
> if (!error) {
> fsnotify_change(dentry, ia_valid);
> - ima_inode_post_setattr(idmap, dentry);
> + ima_inode_post_setattr(idmap, dentry, ia_valid);
> evm_inode_post_setattr(dentry, ia_valid);
> }
>
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 86b57757c7b1..910a2f11a906 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -186,7 +186,7 @@ static inline void ima_post_key_create_or_update(struct key *keyring,
> #ifdef CONFIG_IMA_APPRAISE
> extern bool is_ima_appraise_enabled(void);
> extern void ima_inode_post_setattr(struct mnt_idmap *idmap,
> - struct dentry *dentry);
> + struct dentry *dentry, int ia_valid);
> extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
> const void *xattr_value, size_t xattr_value_len);
> extern int ima_inode_set_acl(struct mnt_idmap *idmap,
> @@ -206,7 +206,7 @@ static inline bool is_ima_appraise_enabled(void)
> }
> h
> static inline void ima_inode_post_setattr(struct mnt_idmap *idmap,
> - struct dentry *dentry)
> + struct dentry *dentry, int ia_valid)
> {
> return;
> }
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 491c1aca0b1c..6b032bce4fe7 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -627,6 +627,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
> * ima_inode_post_setattr - reflect file metadata changes
> * @idmap: idmap of the mount the inode was found from
> * @dentry: pointer to the affected dentry
> + * @ia_valid: for the UID and GID status
> *
> * Changes to a dentry's metadata might result in needing to appraise.
> *
> @@ -634,7 +635,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
> * to lock the inode's i_mutex.
> */
> void ima_inode_post_setattr(struct mnt_idmap *idmap,
> - struct dentry *dentry)
> + struct dentry *dentry, int ia_valid)
> {
> struct inode *inode = d_backing_inode(dentry);
> struct integrity_iint_cache *iint;
Powered by blists - more mailing lists