www.infradead.org Git - users/dwmw2/linux.git/commit

author	Roberto Sassu <roberto.sassu@huawei.com>
	Thu, 15 Feb 2024 10:31:00 +0000 (11:31 +0100)
committer	Paul Moore <paul@paul-moore.com>
	Fri, 16 Feb 2024 04:43:42 +0000 (23:43 -0500)
commit	8f46ff5767b0b18329140d80d6bcabd818f42c4c
tree	0023bde4f2e5cacda47f6bb5edb32dd552dfeed8	tree
parent	dae52cbf5887ac51c3574648124cfe475a9b3246	commit \| diff

security: Introduce file_post_open hook

In preparation to move IMA and EVM to the LSM infrastructure, introduce the
file_post_open hook. Also, export security_file_post_open() for NFS.

Based on policy, IMA calculates the digest of the file content and
extends the TPM with the digest, verifies the file's integrity based on
the digest, and/or includes the file digest in the audit log.

LSMs could similarly take action depending on the file content and the
access mask requested with open().

The new hook returns a value and can cause the open to be aborted.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>

fs/namei.c		diff \| blob \| history
fs/nfsd/vfs.c		diff \| blob \| history
include/linux/lsm_hook_defs.h		diff \| blob \| history
include/linux/security.h		diff \| blob \| history
security/security.c		diff \| blob \| history