summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2024-02-15 11:31:05 +0100
committerPaul Moore <paul@paul-moore.com>2024-02-16 05:43:44 +0100
commit2d705d8024143c272a764320c880ccd3230bb699 (patch)
tree4c035efcf4b0ef325be26899493647ea3d343f6a /security
parentsecurity: Introduce inode_post_set_acl hook (diff)
downloadlinux-2d705d8024143c272a764320c880ccd3230bb699.tar.xz
linux-2d705d8024143c272a764320c880ccd3230bb699.zip
security: Introduce inode_post_remove_acl hook
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the inode_post_remove_acl hook. At inode_remove_acl hook, EVM verifies the file's existing HMAC value. At inode_post_remove_acl, EVM re-calculates the file's HMAC with the passed POSIX ACL removed and other file metadata. Other LSMs could similarly take some action after successful POSIX ACL removal. The new hook cannot return an error and cannot cause the operation to be reverted. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/security.c17
1 files changed, 17 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 52f62f785087..3bed660fc950 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2414,6 +2414,23 @@ int security_inode_remove_acl(struct mnt_idmap *idmap,
}
/**
+ * security_inode_post_remove_acl() - Update inode security after rm posix acls
+ * @idmap: idmap of the mount
+ * @dentry: file
+ * @acl_name: acl name
+ *
+ * Update inode security data after successfully removing posix acls on
+ * @dentry in @idmap. The posix acls are identified by @acl_name.
+ */
+void security_inode_post_remove_acl(struct mnt_idmap *idmap,
+ struct dentry *dentry, const char *acl_name)
+{
+ if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
+ return;
+ call_void_hook(inode_post_remove_acl, idmap, dentry, acl_name);
+}
+
+/**
* security_inode_post_setxattr() - Update the inode after a setxattr operation
* @dentry: file
* @name: xattr name