On Tue, Jan 16, 2024 at 08:51:11AM -0800, Casey Schaufler wrote:
On 1/16/2024 12:47 AM, Roberto Sassu wrote:
On Mon, 2024-01-15 at 19:15 +0000, Al Viro wrote:
On Mon, Jan 15, 2024 at 07:17:57PM +0100, Roberto Sassu wrote:
From: Roberto Sassu roberto.sassu@huawei.com
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the file_release hook.
IMA calculates at file close the new digest of the file content and writes it to security.ima, so that appraisal at next file access succeeds.
An LSM could implement an exclusive access scheme for files, only allowing access to files that have no references.
Elaborate that last part, please.
Apologies, I didn't understand that either. Casey?
Just a hypothetical notion that if an LSM wanted to implement an exclusive access scheme it might find the proposed hook helpful. I don't have any plan to create such a scheme, nor do I think that a file_release hook would be the only thing you'd need.
Exclusive access to what? "No more than one opened file with this inode at a time"? It won't serialize IO operations, obviously... Details, please.