[PATCH v9 13/25] security: Introduce file_release hook
Paul Moore
paul at paul-moore.com
Thu Feb 8 03:18:44 UTC 2024
On Jan 15, 2024 Roberto Sassu <roberto.sassu at huaweicloud.com> wrote:
>
> In preparation for moving IMA and EVM to the LSM infrastructure, introduce
> the file_release hook.
>
> IMA calculates at file close the new digest of the file content and writes
> it to security.ima, so that appraisal at next file access succeeds.
>
> An LSM could implement an exclusive access scheme for files, only allowing
> access to files that have no references.
Let's drop the above sentence as it is is a little vague and is causing
some concern with the VFS folks. While I want to see the hooks explained
and documented in the code, I've never been a big fan of speculating
about potential future uses of the hook, that's dangerous IMO.
Otherwise this looks good.
Acked-by: Paul Moore <paul at paul-moore.com>
> The new hook cannot return an error and cannot cause the operation to be
> reverted.
>
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> ---
> fs/file_table.c | 1 +
> include/linux/lsm_hook_defs.h | 1 +
> include/linux/security.h | 4 ++++
> security/security.c | 11 +++++++++++
> 4 files changed, 17 insertions(+)
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list