projects / linux-2.6-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: dae52cb) | patch
security: Introduce file_post_open hook
authorRoberto Sassu <roberto.sassu@huawei.com>
Thu, 15 Feb 2024 10:31:00 +0000 (11:31 +0100)
committerPaul Moore <paul@paul-moore.com>
Fri, 16 Feb 2024 04:43:42 +0000 (23:43 -0500)
commit8f46ff5767b0b18329140d80d6bcabd818f42c4c
tree0023bde4f2e5cacda47f6bb5edb32dd552dfeed8tree | snapshot
parentdae52cbf5887ac51c3574648124cfe475a9b3246commit | diff
security: Introduce file_post_open hook

In preparation to move IMA and EVM to the LSM infrastructure, introduce the
file_post_open hook. Also, export security_file_post_open() for NFS.

Based on policy, IMA calculates the digest of the file content and
extends the TPM with the digest, verifies the file's integrity based on
the digest, and/or includes the file digest in the audit log.

LSMs could similarly take action depending on the file content and the
access mask requested with open().

The new hook returns a value and can cause the open to be aborted.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
fs/namei.c diff | blob | blame | history
fs/nfsd/vfs.c diff | blob | blame | history
include/linux/lsm_hook_defs.h diff | blob | blame | history
include/linux/security.h diff | blob | blame | history
security/security.c diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)