summaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.ibm.com>2019-01-22 14:06:49 -0600
committerMimi Zohar <zohar@linux.ibm.com>2019-02-04 17:36:01 -0500
commitfdb2410f7702f25f82804a261f90ad03422bd2c3 (patch)
tree1e1389a728449aec6871e473414903bbcd3be0b9 /include/linux
parentc8b37524d3cdbcf07426529cb83b38b1240cb54d (diff)
downloadlinux-fdb2410f7702f25f82804a261f90ad03422bd2c3.tar.gz
linux-fdb2410f7702f25f82804a261f90ad03422bd2c3.tar.bz2
linux-fdb2410f7702f25f82804a261f90ad03422bd2c3.zip
ima: define ima_post_create_tmpfile() hook and add missing call
If tmpfiles can be made persistent, then newly created tmpfiles need to be treated like any other new files in policy. This patch indicates which newly created tmpfiles are in policy, causing the file hash to be calculated on __fput(). Reported-by: Ignaz Forster <ignaz.forster@gmx.de> [rgoldwyn@suse.com: Call ima_post_create_tmpfile() in vfs_tmpfile() as opposed to do_tmpfile(). This will help the case for overlayfs where copy_up is denied while overwriting a file.] Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/ima.h5
1 files changed, 5 insertions, 0 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h
index b5e16b8c50b7..dc12fbcf484c 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -18,6 +18,7 @@ struct linux_binprm;
#ifdef CONFIG_IMA
extern int ima_bprm_check(struct linux_binprm *bprm);
extern int ima_file_check(struct file *file, int mask);
+extern void ima_post_create_tmpfile(struct inode *inode);
extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long prot);
extern int ima_load_data(enum kernel_load_data_id id);
@@ -56,6 +57,10 @@ static inline int ima_file_check(struct file *file, int mask)
return 0;
}
+static inline void ima_post_create_tmpfile(struct inode *inode)
+{
+}
+
static inline void ima_file_free(struct file *file)
{
return;