summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2024-02-15 11:31:04 +0100
committerPaul Moore <paul@paul-moore.com>2024-02-15 23:43:44 -0500
commit8b9d0b825c6573d654c8b8039ea79920926305c2 (patch)
tree8d8d0b005065fdbf63cd364719627447de4a0b91 /security
parenta7811e34d100acf24870eb949c5ae3e49dde18b9 (diff)
downloadlinux-stable-8b9d0b825c6573d654c8b8039ea79920926305c2.tar.gz
linux-stable-8b9d0b825c6573d654c8b8039ea79920926305c2.tar.bz2
linux-stable-8b9d0b825c6573d654c8b8039ea79920926305c2.zip
security: Introduce inode_post_set_acl hook
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the inode_post_set_acl hook. At inode_set_acl hook, EVM verifies the file's existing HMAC value. At inode_post_set_acl, EVM re-calculates the file's HMAC based on the modified POSIX ACL and other file metadata. Other LSMs could similarly take some action after successful POSIX ACL change. The new hook cannot return an error and cannot cause the operation to be reverted. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/security.c17
1 files changed, 17 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 710db090aa8b..52f62f785087 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2351,6 +2351,23 @@ int security_inode_set_acl(struct mnt_idmap *idmap,
}
/**
+ * security_inode_post_set_acl() - Update inode security from posix acls set
+ * @dentry: file
+ * @acl_name: acl name
+ * @kacl: acl struct
+ *
+ * Update inode security data after successfully setting posix acls on @dentry.
+ * The posix acls in @kacl are identified by @acl_name.
+ */
+void security_inode_post_set_acl(struct dentry *dentry, const char *acl_name,
+ struct posix_acl *kacl)
+{
+ if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
+ return;
+ call_void_hook(inode_post_set_acl, dentry, acl_name, kacl);
+}
+
+/**
* security_inode_get_acl() - Check if reading posix acls is allowed
* @idmap: idmap of the mount
* @dentry: file