On Mon, Jan 15, 2024 at 07:17:56PM +0100, Roberto Sassu wrote:
From: Roberto Sassu roberto.sassu@huawei.com
In preparation to move IMA and EVM to the LSM infrastructure, introduce the file_post_open hook. Also, export security_file_post_open() for NFS.
Based on policy, IMA calculates the digest of the file content and extends the TPM with the digest, verifies the file's integrity based on the digest, and/or includes the file digest in the audit log.
LSMs could similarly take action depending on the file content and the access mask requested with open().
The new hook returns a value and can cause the open to be aborted.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Reviewed-by: Stefan Berger stefanb@linux.ibm.com Acked-by: Casey Schaufler casey@schaufler-ca.com Reviewed-by: Mimi Zohar zohar@linux.ibm.com
fs/namei.c | 2 ++
Acked-by: Christian Brauner brauner@kernel.org