Thread (79 messages) 79 messages, 5 authors, 2023-08-30

Re: [PATCH 21/28] security: Introduce inode_post_remove_acl hook

From: Stefan Berger <stefanb@linux.ibm.com>
Date: 2023-03-06 18:16:22
Also in: keyrings, linux-fsdevel, linux-integrity, linux-nfs, lkml, selinux 


On 3/6/23 10:34, Roberto Sassu wrote:
On Mon, 2023-03-06 at 10:22 -0500, Stefan Berger wrote:
quoted
On 3/3/23 13:18, Roberto Sassu wrote:
quoted
From: Roberto Sassu <roberto.sassu@huawei.com>

In preparation for moving IMA and EVM to the LSM infrastructure, introduce
the inode_post_remove_acl hook.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
   
+/**
+ * security_inode_post_remove_acl() - Update inode sec after remove_acl op
+ * @idmap: idmap of the mount
+ * @dentry: file
+ * @acl_name: acl name
+ *
+ * Update inode security field after successful remove_acl operation on @dentry
+ * in @idmap. The posix acls are identified by @acl_name.
+ */
+void security_inode_post_remove_acl(struct mnt_idmap *idmap,
+				    struct dentry *dentry, const char *acl_name)
+{
+	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
+		return;
Was that a mistake before that EVM and IMA functions did not filtered out private inodes?
Looks like that. At least for hooks that are not called from
security.c.
It seems like that all security_* functions are filtering on private inodes. Anonymous inodes have them and some filesystem set the S_PRIVATE flag. So it may not make a difference fro IMA and EVM then.

     Stefan

Thanks

Roberto
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help