From: Mimi Zohar <zohar@linux.ibm.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA
Date: Wed, 13 Oct 2021 11:45:01 -0400 [thread overview]
Message-ID: <e1c2d34acb37d85e94af15ca1edd162e1e7f9a2a.camel@linux.ibm.com> (raw)
In-Reply-To: <d4273866-607e-37be-076b-a920bbf08bf9@digikod.net>
[CC'ing Casey]
On Wed, 2021-10-13 at 17:26 +0200, Mickaël Salaün wrote:
> Nice!
>
> On 13/10/2021 13:01, Mimi Zohar wrote:
> > Extend the trusted_for syscall to call the newly defined
> > ima_trusted_for hook.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> > fs/open.c | 3 +++
> > include/linux/ima.h | 9 +++++++++
> > 2 files changed, 12 insertions(+)
> >
> > diff --git a/fs/open.c b/fs/open.c
> > index c79c138a638c..4d54e2a727e1 100644
> > --- a/fs/open.c
> > +++ b/fs/open.c
> > @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
> > err = inode_permission(file_mnt_user_ns(f.file), inode,
> > mask | MAY_ACCESS);
> >
> > + if (!err)
> > + err = ima_trusted_for(f.file, usage);
>
> Could you please implement a new LSM hook instead? Other LSMs may want
> to use this information as well.
Casey normally pushes back on my defining a new LSM hook, when IMA is
the only user. If any of the LSM maintainers are planning on defining
this hook, please chime in.
thanks,
Mimi
next prev parent reply other threads:[~2021-10-13 15:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-13 11:01 [PATCH 1/2] ima: define ima_trusted_for hook Mimi Zohar
2021-10-13 11:01 ` [PATCH 2/2] fs: extend the trusted_for syscall to call IMA Mimi Zohar
2021-10-13 15:26 ` Mickaël Salaün
2021-10-13 15:45 ` Mimi Zohar [this message]
2021-10-13 17:24 ` Casey Schaufler
2021-10-13 14:34 ` [PATCH 1/2] ima: define ima_trusted_for hook Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1c2d34acb37d85e94af15ca1edd162e1e7f9a2a.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).