summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2024-02-15 11:30:58 +0100
committerPaul Moore <paul@paul-moore.com>2024-02-15 23:43:42 -0500
commit77fa6f314f0376176ef6bf3d84403e0d8b54ce28 (patch)
tree60fa6a1ee957c2387f77fbc8aaffcb92a7299c9b /security
parent314a8dc728d038378795236f6b5199265f921f45 (diff)
downloadlinux-stable-77fa6f314f0376176ef6bf3d84403e0d8b54ce28.tar.gz
linux-stable-77fa6f314f0376176ef6bf3d84403e0d8b54ce28.tar.bz2
linux-stable-77fa6f314f0376176ef6bf3d84403e0d8b54ce28.zip
security: Introduce inode_post_setattr hook
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the inode_post_setattr hook. At inode_setattr hook, EVM verifies the file's existing HMAC value. At inode_post_setattr, EVM re-calculates the file's HMAC based on the modified file attributes and other file metadata. Other LSMs could similarly take some action after successful file attribute change. The new hook cannot return an error and cannot cause the operation to be reverted. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/security.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 9dc601d45960..56527d5415e2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2223,6 +2223,22 @@ int security_inode_setattr(struct mnt_idmap *idmap,
EXPORT_SYMBOL_GPL(security_inode_setattr);
/**
+ * security_inode_post_setattr() - Update the inode after a setattr operation
+ * @idmap: idmap of the mount
+ * @dentry: file
+ * @ia_valid: file attributes set
+ *
+ * Update inode security field after successful setting file attributes.
+ */
+void security_inode_post_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ int ia_valid)
+{
+ if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
+ return;
+ call_void_hook(inode_post_setattr, idmap, dentry, ia_valid);
+}
+
+/**
* security_inode_getattr() - Check if getting file attributes is allowed
* @path: file
*