On Jan 15, 2024 Roberto Sassu roberto.sassu@huaweicloud.com wrote:
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the file_release hook.
IMA calculates at file close the new digest of the file content and writes it to security.ima, so that appraisal at next file access succeeds.
An LSM could implement an exclusive access scheme for files, only allowing access to files that have no references.
Let's drop the above sentence as it is is a little vague and is causing some concern with the VFS folks. While I want to see the hooks explained and documented in the code, I've never been a big fan of speculating about potential future uses of the hook, that's dangerous IMO.
Otherwise this looks good.
Acked-by: Paul Moore paul@paul-moore.com
The new hook cannot return an error and cannot cause the operation to be reverted.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com
fs/file_table.c | 1 + include/linux/lsm_hook_defs.h | 1 + include/linux/security.h | 4 ++++ security/security.c | 11 +++++++++++ 4 files changed, 17 insertions(+)
-- paul-moore.com