From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>,
viro@zeniv.linux.org.uk, brauner@kernel.org,
chuck.lever@oracle.com, jlayton@kernel.org, neilb@suse.de,
kolga@netapp.com, Dai.Ngo@oracle.com, tom@talpey.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
dmitry.kasatkin@gmail.com, dhowells@redhat.com,
jarkko@kernel.org, stephen.smalley.work@gmail.com,
eparis@parisplace.org, casey@schaufler-ca.com, mic@digikod.net
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
selinux@vger.kernel.org, Roberto Sassu <roberto.sassu@huawei.com>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH v4 12/23] security: Introduce file_post_open hook
Date: Mon, 06 Nov 2023 11:40:08 -0500 [thread overview]
Message-ID: <980b8df5eccc03a67328e28b7cef2b777bc310f0.camel@linux.ibm.com> (raw)
In-Reply-To: <20231027083558.484911-13-roberto.sassu@huaweicloud.com>
On Fri, 2023-10-27 at 10:35 +0200, Roberto Sassu wrote:
> diff --git a/security/security.c b/security/security.c
> index 2ee958afaf40..d24a8f92d641 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2947,6 +2947,23 @@ int security_file_open(struct file *file)
> return fsnotify_perm(file, MAY_OPEN);
> }
>
> +/**
> + * security_file_post_open() - Recheck access to a file after it has been opened
> + * @file: the file
> + * @mask: access mask
> + *
> + * Recheck access with mask after the file has been opened. The hook is useful
> + * for LSMs that require the file content to be available in order to make
> + * decisions.
> + *
The hook isn't limited to "Recheck access". It's used for measuring,
appraising, and auditing a file's integrity. Sorry for suggesting an
incomplete patch description. Please update the wording here and the
patch description accordingly.
> + * Return: Returns 0 if permission is granted.
> + */
> +int security_file_post_open(struct file *file, int mask)
> +{
> + return call_int_hook(file_post_open, 0, file, mask);
> +}
> +EXPORT_SYMBOL_GPL(security_file_post_open);
> +
> /**
> * security_file_truncate() - Check if truncating a file is allowed
> * @file: file
--
thanks,
Mimi
next prev parent reply other threads:[~2023-11-06 16:40 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-27 8:35 [PATCH v4 00/23] security: Move IMA and EVM to the LSM infrastructure Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 01/23] ima: Align ima_inode_post_setattr() definition with " Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 02/23] ima: Align ima_file_mprotect() " Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 03/23] ima: Align ima_inode_setxattr() " Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 04/23] ima: Align ima_inode_removexattr() " Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 05/23] ima: Align ima_post_read_file() " Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 06/23] evm: Align evm_inode_post_setattr() " Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 07/23] evm: Align evm_inode_setxattr() " Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 08/23] evm: Align evm_inode_post_setxattr() " Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 09/23] security: Align inode_setattr hook definition with EVM Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 10/23] security: Introduce inode_post_setattr hook Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 11/23] security: Introduce inode_post_removexattr hook Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 12/23] security: Introduce file_post_open hook Roberto Sassu
2023-11-06 16:40 ` Mimi Zohar [this message]
2023-10-27 8:35 ` [PATCH v4 13/23] security: Introduce file_pre_free_security hook Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 14/23] security: Introduce path_post_mknod hook Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 15/23] security: Introduce inode_post_create_tmpfile hook Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 16/23] security: Introduce inode_post_set_acl hook Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 17/23] security: Introduce inode_post_remove_acl hook Roberto Sassu
2023-11-06 16:34 ` Mimi Zohar
2023-10-27 8:35 ` [PATCH v4 18/23] security: Introduce key_post_create_or_update hook Roberto Sassu
2023-10-27 8:35 ` [PATCH v4 19/23] ima: Move to LSM infrastructure Roberto Sassu
2023-10-27 8:42 ` [PATCH v4 20/23] ima: Move IMA-Appraisal " Roberto Sassu
2023-11-06 16:33 ` Mimi Zohar
2023-10-27 8:42 ` [PATCH v4 21/23] evm: Move " Roberto Sassu
2023-10-27 8:42 ` [PATCH v4 22/23] integrity: Move integrity functions to the " Roberto Sassu
2023-10-27 8:42 ` [PATCH v4 23/23] integrity: Switch from rbtree to LSM-managed blob for integrity_iint_cache Roberto Sassu
2023-11-06 16:37 ` [PATCH v4 00/23] security: Move IMA and EVM to the LSM infrastructure Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=980b8df5eccc03a67328e28b7cef2b777bc310f0.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=Dai.Ngo@oracle.com \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=chuck.lever@oracle.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eparis@parisplace.org \
--cc=jarkko@kernel.org \
--cc=jlayton@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=kolga@netapp.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=neilb@suse.de \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tom@talpey.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).