On Jan 15, 2024 Roberto Sassu roberto.sassu@huaweicloud.com wrote:
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the path_post_mknod hook.
IMA-appraisal requires all existing files in policy to have a file hash/signature stored in security.ima. An exception is made for empty files created by mknod, by tagging them as new files.
LSMs could also take some action after files are created.
The new hook cannot return an error and cannot cause the operation to be reverted.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Acked-by: Casey Schaufler casey@schaufler-ca.com Reviewed-by: Mimi Zohar zohar@linux.ibm.com
fs/namei.c | 5 +++++ include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 5 +++++ security/security.c | 14 ++++++++++++++ 4 files changed, 26 insertions(+)
Acked-by: Paul Moore paul@paul-moore.com
-- paul-moore.com