[PATCH v3 16/25] security: Introduce path_post_mknod hook

Mimi Zohar zohar at linux.ibm.com
Fri Oct 13 13:12:33 UTC 2023


On Mon, 2023-09-04 at 15:34 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
> 
> In preparation for moving IMA and EVM to the LSM infrastructure, introduce
> the path_post_mknod hook.
> 
> It is useful for IMA to let new empty files be subsequently opened for
> further modification.

(Please remove "It is useful for"  here and in other patch
descriptions.  Will not repeat this again.)

Possible wording:
IMA-appraisal requires all existing files in policy to have a file
hash/signature stored in security.ima.  An exception is made for empty
files created by mknod, by tagging them as new files.

> 
> LSMs can benefit from this hook to update the inode state after a file has
> been successfully created. 

(Please remove "LSMs can benefit from" here and in other patch
descriptions.)

Please make sure that the patch description is in sync with the LSM
hook kernel doc. 

> The new hook cannot return an error and cannot
> cause the operation to be canceled.

(Separate paragaraph)

> 
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>

-- 
thanks,

Mimi



More information about the Linux-security-module-archive mailing list