diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2024-02-15 11:31:10 +0100 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2024-02-16 05:43:47 +0100 |
commit | 9238311176115aac1b1a86e8e968c04ebec747a1 (patch) | |
tree | 8f7a1898b2c23077045bce158dfc98c0cadb8236 /fs/attr.c | |
parent | ima: Move IMA-Appraisal to LSM infrastructure (diff) | |
download | linux-9238311176115aac1b1a86e8e968c04ebec747a1.tar.xz linux-9238311176115aac1b1a86e8e968c04ebec747a1.zip |
evm: Move to LSM infrastructure
As for IMA, move hardcoded EVM function calls from various places in the
kernel to the LSM infrastructure, by introducing a new LSM named 'evm'
(last and always enabled like 'ima'). The order in the Makefile ensures
that 'evm' hooks are executed after 'ima' ones.
Make EVM functions as static (except for evm_inode_init_security(), which
is exported), and register them as hook implementations in init_evm_lsm().
Also move the inline functions evm_inode_remove_acl(),
evm_inode_post_remove_acl(), and evm_inode_post_set_acl() from the public
evm.h header to evm_main.c.
Unlike before (see commit to move IMA to the LSM infrastructure),
evm_inode_post_setattr(), evm_inode_post_set_acl(),
evm_inode_post_remove_acl(), and evm_inode_post_removexattr() are not
executed for private inodes.
Finally, add the LSM_ID_EVM case in lsm_list_modules_test.c
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'fs/attr.c')
-rw-r--r-- | fs/attr.c | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/fs/attr.c b/fs/attr.c index 7e97313e7f70..4d0d75953107 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -16,7 +16,6 @@ #include <linux/fcntl.h> #include <linux/filelock.h> #include <linux/security.h> -#include <linux/evm.h> #include "internal.h" @@ -502,7 +501,6 @@ int notify_change(struct mnt_idmap *idmap, struct dentry *dentry, if (!error) { fsnotify_change(dentry, ia_valid); security_inode_post_setattr(idmap, dentry, ia_valid); - evm_inode_post_setattr(idmap, dentry, ia_valid); } return error; |