summaryrefslogtreecommitdiffstats
path: root/security/security.c
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2024-02-15 11:31:02 +0100
committerPaul Moore <paul@paul-moore.com>2024-02-16 05:43:43 +0100
commit08abce60d63fb55f440c393f4508e99064f2fd91 (patch)
treebc903aa7b37fbbb9c9f71a5b705838b18c0b4489 /security/security.c
parentsecurity: Introduce file_release hook (diff)
downloadlinux-08abce60d63fb55f440c393f4508e99064f2fd91.tar.xz
linux-08abce60d63fb55f440c393f4508e99064f2fd91.zip
security: Introduce path_post_mknod hook
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the path_post_mknod hook. IMA-appraisal requires all existing files in policy to have a file hash/signature stored in security.ima. An exception is made for empty files created by mknod, by tagging them as new files. LSMs could also take some action after files are created. The new hook cannot return an error and cannot cause the operation to be reverted. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Christian Brauner <brauner@kernel.org> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/security.c')
-rw-r--r--security/security.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 99004c44ce55..ee4582e1d4d0 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1801,6 +1801,20 @@ int security_path_mknod(const struct path *dir, struct dentry *dentry,
EXPORT_SYMBOL(security_path_mknod);
/**
+ * security_path_post_mknod() - Update inode security field after file creation
+ * @idmap: idmap of the mount
+ * @dentry: new file
+ *
+ * Update inode security field after a file has been created.
+ */
+void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry)
+{
+ if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
+ return;
+ call_void_hook(path_post_mknod, idmap, dentry);
+}
+
+/**
* security_path_mkdir() - Check if creating a new directory is allowed
* @dir: parent directory
* @dentry: new directory