[PATCH v3 14/25] security: Introduce file_post_open hook

Mimi Zohar zohar at linux.ibm.com
Thu Oct 12 13:35:24 UTC 2023


On Thu, 2023-10-12 at 14:45 +0200, Roberto Sassu wrote:
> On Thu, 2023-10-12 at 08:36 -0400, Mimi Zohar wrote:
> > On Mon, 2023-09-04 at 15:34 +0200, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu at huawei.com>
> > > 
> > > In preparation to move IMA and EVM to the LSM infrastructure, introduce the
> > > file_post_open hook. Also, export security_file_post_open() for NFS.
> > > 
> > > It is useful for IMA to calculate the dhigest of the file content, and to
> > > decide based on that digest whether the file should be made accessible to
> > > the requesting process.
> > 
> > Please remove "It is usefile for".   Perhaps something along the lines:
> > 
> > 
> > Based on policy, IMA calculates the digest of the file content and
> > decides ...
> 
> Ok.
> 
> > > 
> > > LSMs should use this hook instead of file_open, if they need to make their
> > > decision based on an opened file (for example by inspecting the file
> > > content). The file is not open yet in the file_open hook.

Needing to inspect the file contents is a good example.

>  
> > The security hooks were originally defined for enforcing access
> > control.  As a result the hooks were placed before the action.  The
> > usage of the LSM hooks is not limited to just enforcing access control
> > these days.  For IMA/EVM to become full LSMs additional hooks are
> > needed post action.  Other LSMs, probably non-access control ones,
> > could similarly take some action post action, in this case successful
> > file open.
> 
> I don't know, I would not exclude LSMs to enforce access control. The
> post action can be used to update the state, which can be used to check
> next accesses (exactly what happens for EVM).
> 
> > Having to justify the new LSM post hooks in terms of the existing LSMs,
> > which enforce access control, is really annoying and makes no sense. 
> > Please don't.
> 
> Well, there is a relationship between the pre and post. But if you
> prefer, I remove this comparison.

My comments, above, were a result of the wording of the hook
definition, below.

> > > +/**
> > > + * security_file_post_open() - Recheck access to a file after it has been opened
> > 
> > The LSM post hooks aren't needed to enforce access control.   Probably
> > better to say something along the lines of "take some action after
> > successful file open".
> > 
> > > + * @file: the file
> > > + * @mask: access mask
> > > + *
> > > + * Recheck access with mask after the file has been opened. The hook is useful
> > > + * for LSMs that require the file content to be available in order to make
> > > + * decisions.
> > 
> > And reword the above accordingly.
> > 
> > > + *
> > > + * Return: Returns 0 if permission is granted.
> > > + */
> > > +int security_file_post_open(struct file *file, int mask)
> > > +{
> > > +	return call_int_hook(file_post_open, 0, file, mask);
> > > +}
> > > +EXPORT_SYMBOL_GPL(security_file_post_open);
> > > +
> > >  /**
> > >   * security_file_truncate() - Check if truncating a file is allowed
> > >   * @file: file
> > 
> 




More information about the Linux-security-module-archive mailing list