On Mon, Jan 15, 2024 at 07:18:05PM +0100, Roberto Sassu wrote:
From: Roberto Sassu roberto.sassu@huawei.com
A few additional IMA hooks are needed to reset the cached appraisal status, causing the file's integrity to be re-evaluated on next access. Register these IMA-appraisal only functions separately from the rest of IMA functions, as appraisal is a separate feature not necessarily enabled in the kernel configuration.
Reuse the same approach as for other IMA functions, move hardcoded calls from various places in the kernel to the LSM infrastructure. Declare the functions as static and register them as hook implementations in init_ima_appraise_lsm(), called by init_ima_lsm().
Also move the inline function ima_inode_remove_acl() from the public ima.h header to ima_appraise.c.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Reviewed-by: Stefan Berger stefanb@linux.ibm.com Reviewed-by: Mimi Zohar zohar@linux.ibm.com
fs/attr.c | 2 - include/linux/ima.h | 55 --------------------------- security/integrity/ima/ima.h | 5 +++ security/integrity/ima/ima_appraise.c | 38 +++++++++++++----- security/integrity/ima/ima_main.c | 1 + security/security.c | 13 ------- 6 files changed, 35 insertions(+), 79 deletions(-)
diff --git a/fs/attr.c b/fs/attr.c index 221d2bb0a906..38841f3ebbcb 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -17,7 +17,6 @@ #include <linux/filelock.h> #include <linux/security.h> #include <linux/evm.h> -#include <linux/ima.h> #include "internal.h" @@ -503,7 +502,6 @@ int notify_change(struct mnt_idmap *idmap, struct dentry *dentry, if (!error) { fsnotify_change(dentry, ia_valid); security_inode_post_setattr(idmap, dentry, ia_valid);
ima_inode_post_setattr(idmap, dentry, ia_valid);
Acked-by: Christian Brauner brauner@kernel.org