mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-01 10:42:11 +00:00
security: Introduce inode_post_remove_acl hook
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the inode_post_remove_acl hook. At inode_remove_acl hook, EVM verifies the file's existing HMAC value. At inode_post_remove_acl, EVM re-calculates the file's HMAC with the passed POSIX ACL removed and other file metadata. Other LSMs could similarly take some action after successful POSIX ACL removal. The new hook cannot return an error and cannot cause the operation to be reverted. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
8b9d0b825c
commit
2d705d8024
@ -1246,6 +1246,7 @@ int vfs_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry,
|
|||||||
error = -EIO;
|
error = -EIO;
|
||||||
if (!error) {
|
if (!error) {
|
||||||
fsnotify_xattr(dentry);
|
fsnotify_xattr(dentry);
|
||||||
|
security_inode_post_remove_acl(idmap, dentry, acl_name);
|
||||||
evm_inode_post_remove_acl(idmap, dentry, acl_name);
|
evm_inode_post_remove_acl(idmap, dentry, acl_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -163,6 +163,8 @@ LSM_HOOK(int, 0, inode_get_acl, struct mnt_idmap *idmap,
|
|||||||
struct dentry *dentry, const char *acl_name)
|
struct dentry *dentry, const char *acl_name)
|
||||||
LSM_HOOK(int, 0, inode_remove_acl, struct mnt_idmap *idmap,
|
LSM_HOOK(int, 0, inode_remove_acl, struct mnt_idmap *idmap,
|
||||||
struct dentry *dentry, const char *acl_name)
|
struct dentry *dentry, const char *acl_name)
|
||||||
|
LSM_HOOK(void, LSM_RET_VOID, inode_post_remove_acl, struct mnt_idmap *idmap,
|
||||||
|
struct dentry *dentry, const char *acl_name)
|
||||||
LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry)
|
LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry)
|
||||||
LSM_HOOK(int, 0, inode_killpriv, struct mnt_idmap *idmap,
|
LSM_HOOK(int, 0, inode_killpriv, struct mnt_idmap *idmap,
|
||||||
struct dentry *dentry)
|
struct dentry *dentry)
|
||||||
|
@ -378,6 +378,9 @@ int security_inode_get_acl(struct mnt_idmap *idmap,
|
|||||||
struct dentry *dentry, const char *acl_name);
|
struct dentry *dentry, const char *acl_name);
|
||||||
int security_inode_remove_acl(struct mnt_idmap *idmap,
|
int security_inode_remove_acl(struct mnt_idmap *idmap,
|
||||||
struct dentry *dentry, const char *acl_name);
|
struct dentry *dentry, const char *acl_name);
|
||||||
|
void security_inode_post_remove_acl(struct mnt_idmap *idmap,
|
||||||
|
struct dentry *dentry,
|
||||||
|
const char *acl_name);
|
||||||
void security_inode_post_setxattr(struct dentry *dentry, const char *name,
|
void security_inode_post_setxattr(struct dentry *dentry, const char *name,
|
||||||
const void *value, size_t size, int flags);
|
const void *value, size_t size, int flags);
|
||||||
int security_inode_getxattr(struct dentry *dentry, const char *name);
|
int security_inode_getxattr(struct dentry *dentry, const char *name);
|
||||||
@ -936,6 +939,11 @@ static inline int security_inode_remove_acl(struct mnt_idmap *idmap,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline void security_inode_post_remove_acl(struct mnt_idmap *idmap,
|
||||||
|
struct dentry *dentry,
|
||||||
|
const char *acl_name)
|
||||||
|
{ }
|
||||||
|
|
||||||
static inline void security_inode_post_setxattr(struct dentry *dentry,
|
static inline void security_inode_post_setxattr(struct dentry *dentry,
|
||||||
const char *name, const void *value, size_t size, int flags)
|
const char *name, const void *value, size_t size, int flags)
|
||||||
{ }
|
{ }
|
||||||
|
@ -2413,6 +2413,23 @@ int security_inode_remove_acl(struct mnt_idmap *idmap,
|
|||||||
return evm_inode_remove_acl(idmap, dentry, acl_name);
|
return evm_inode_remove_acl(idmap, dentry, acl_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* security_inode_post_remove_acl() - Update inode security after rm posix acls
|
||||||
|
* @idmap: idmap of the mount
|
||||||
|
* @dentry: file
|
||||||
|
* @acl_name: acl name
|
||||||
|
*
|
||||||
|
* Update inode security data after successfully removing posix acls on
|
||||||
|
* @dentry in @idmap. The posix acls are identified by @acl_name.
|
||||||
|
*/
|
||||||
|
void security_inode_post_remove_acl(struct mnt_idmap *idmap,
|
||||||
|
struct dentry *dentry, const char *acl_name)
|
||||||
|
{
|
||||||
|
if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
|
||||||
|
return;
|
||||||
|
call_void_hook(inode_post_remove_acl, idmap, dentry, acl_name);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_inode_post_setxattr() - Update the inode after a setxattr operation
|
* security_inode_post_setxattr() - Update the inode after a setxattr operation
|
||||||
* @dentry: file
|
* @dentry: file
|
||||||
|
Loading…
Reference in New Issue
Block a user