On Jan 15, 2024 Roberto Sassu roberto.sassu@huaweicloud.com wrote:
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the key_post_create_or_update hook.
Depending on policy, IMA measures the key content after creation or update, so that remote verifiers are aware of the operation.
Other LSMs could similarly take some action after successful key creation or update.
The new hook cannot return an error and cannot cause the operation to be reverted.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Reviewed-by: Stefan Berger stefanb@linux.ibm.com Acked-by: Casey Schaufler casey@schaufler-ca.com Reviewed-by: Mimi Zohar zohar@linux.ibm.com
include/linux/lsm_hook_defs.h | 3 +++ include/linux/security.h | 11 +++++++++++ security/keys/key.c | 7 ++++++- security/security.c | 19 +++++++++++++++++++ 4 files changed, 39 insertions(+), 1 deletion(-)
Acked-by: Paul Moore paul@paul-moore.com
-- paul-moore.com