Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA

[PATCH 1/2] ima: define ima_trusted_for hook · Mimi Zohar <zohar@linux.ibm.com> · 2021-10-13
[PATCH 2/2] fs: extend the trusted_for syscall to call IMA · Mimi Zohar <zohar@linux.ibm.com> · 2021-10-13
Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA · Mickaël Salaün <mic@digikod.net> · 2021-10-13
Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA · Mimi Zohar <zohar@linux.ibm.com> · 2021-10-13
Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA · Casey Schaufler <casey@schaufler-ca.com> · 2021-10-13
Re: [PATCH 1/2] ima: define ima_trusted_for hook · Mimi Zohar <zohar@linux.ibm.com> · 2021-10-13

From: Mickaël Salaün <mic@digikod.net>
Date: 2021-10-13 15:25:41
Also in: linux-integrity, lkml

Nice!

On 13/10/2021 13:01, Mimi Zohar wrote:

quoted hunk ↗ jump to hunk

Extend the trusted_for syscall to call the newly defined
ima_trusted_for hook.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 fs/open.c           | 3 +++
 include/linux/ima.h | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/fs/open.c b/fs/open.c
index c79c138a638c..4d54e2a727e1 100644
--- a/fs/open.c
+++ b/fs/open.c

@@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
 	err = inode_permission(file_mnt_user_ns(f.file), inode,
 			mask | MAY_ACCESS);
 
+	if (!err)
+		err = ima_trusted_for(f.file, usage);

Could you please implement a new LSM hook instead? Other LSMs may want
to use this information as well.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help