Re: [PATCH v9 12/25] security: Introduce file_post_open hook

[PATCH v9 00/25] security: Move IMA and EVM to the LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
[PATCH v9 01/25] ima: Align ima_inode_post_setattr() definition with LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 1/25] ima: Align ima_inode_post_setattr() definition with LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 02/25] ima: Align ima_file_mprotect() definition with LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 2/25] ima: Align ima_file_mprotect() definition with LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 03/25] ima: Align ima_inode_setxattr() definition with LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 3/25] ima: Align ima_inode_setxattr() definition with LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 05/25] ima: Align ima_post_read_file() definition with LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 5/25] ima: Align ima_post_read_file() definition with LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 06/25] evm: Align evm_inode_post_setattr() definition with LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 6/25] evm: Align evm_inode_post_setattr() definition with LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 07/25] evm: Align evm_inode_setxattr() definition with LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 7/25] evm: Align evm_inode_setxattr() definition with LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 08/25] evm: Align evm_inode_post_setxattr() definition with LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 8/25] evm: Align evm_inode_post_setxattr() definition with LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 09/25] security: Align inode_setattr hook definition with EVM · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 9/25] security: Align inode_setattr hook definition with EVM · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 10/25] security: Introduce inode_post_setattr hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 10/25] security: Introduce inode_post_setattr hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 10/25] security: Introduce inode_post_setattr hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
[PATCH v9 11/25] security: Introduce inode_post_removexattr hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 11/25] security: Introduce inode_post_removexattr hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 11/25] security: Introduce inode_post_removexattr hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
[PATCH v9 12/25] security: Introduce file_post_open hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Roberto Sassu <hidden> · 2024-02-09
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Roberto Sassu <hidden> · 2024-02-09
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Mimi Zohar <zohar@linux.ibm.com> · 2024-02-12
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Paul Moore <paul@paul-moore.com> · 2024-02-12
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Roberto Sassu <hidden> · 2024-02-13
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Paul Moore <paul@paul-moore.com> · 2024-02-13
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Mimi Zohar <zohar@linux.ibm.com> · 2024-02-14
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Paul Moore <paul@paul-moore.com> · 2024-02-14
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Mimi Zohar <zohar@linux.ibm.com> · 2024-02-15
Re: [PATCH v9 12/25] security: Introduce file_post_open hook · Paul Moore <paul@paul-moore.com> · 2024-02-15
[PATCH v9 14/25] security: Introduce path_post_mknod hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 14/25] security: Introduce path_post_mknod hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 14/25] security: Introduce path_post_mknod hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 14/25] security: Introduce path_post_mknod hook · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
[PATCH v9 15/25] security: Introduce inode_post_create_tmpfile hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 15/25] security: Introduce inode_post_create_tmpfile hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 15/25] security: Introduce inode_post_create_tmpfile hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 15/25] security: Introduce inode_post_create_tmpfile hook · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
[PATCH v9 16/25] security: Introduce inode_post_set_acl hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 16/25] security: Introduce inode_post_set_acl hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 16/25] security: Introduce inode_post_set_acl hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
[PATCH v9 17/25] security: Introduce inode_post_remove_acl hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 17/25] security: Introduce inode_post_remove_acl hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 17/25] security: Introduce inode_post_remove_acl hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
[PATCH v9 18/25] security: Introduce key_post_create_or_update hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 18/25] security: Introduce key_post_create_or_update hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA · Paul Moore <paul@paul-moore.com> · 2024-02-12
Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA · Roberto Sassu <hidden> · 2024-02-13
Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-13
Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA · Roberto Sassu <hidden> · 2024-02-15
[PATCH v9 20/25] ima: Move to LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 20/25] ima: Move to LSM infrastructure · Casey Schaufler <casey@schaufler-ca.com> · 2024-01-16
Re: [PATCH v9 20/25] ima: Move to LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 20/25] ima: Move to LSM infrastructure · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 20/25] ima: Move to LSM infrastructure · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
[PATCH v9 21/25] ima: Move IMA-Appraisal to LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 21/25] ima: Move IMA-Appraisal to LSM infrastructure · Casey Schaufler <casey@schaufler-ca.com> · 2024-01-16
Re: [PATCH v9 21/25] ima: Move IMA-Appraisal to LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 21/25] ima: Move IMA-Appraisal to LSM infrastructure · Christian Brauner <brauner@kernel.org> · 2024-02-09
[PATCH v9 22/25] evm: Move to LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 22/25] evm: Move to LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 22/25] evm: Move to LSM infrastructure · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 22/25] evm: Move to LSM infrastructure · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
[PATCH v9 23/25] evm: Make it independent from 'integrity' LSM · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 23/25] evm: Make it independent from 'integrity' LSM · Casey Schaufler <casey@schaufler-ca.com> · 2024-01-16
Re: [PATCH v9 23/25] evm: Make it independent from 'integrity' LSM · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 23/25] evm: Make it independent from 'integrity' LSM · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
[PATCH v9 24/25] ima: Make it independent from 'integrity' LSM · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 24/25] ima: Make it independent from 'integrity' LSM · Casey Schaufler <casey@schaufler-ca.com> · 2024-01-16
Re: [PATCH v9 24/25] ima: Make it independent from 'integrity' LSM · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
[PATCH v9 25/25] integrity: Remove LSM · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 25/25] integrity: Remove LSM · Casey Schaufler <casey@schaufler-ca.com> · 2024-01-16
Re: [PATCH v9 25/25] integrity: Remove LSM · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 25/25] integrity: Remove LSM · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
[PATCH v9 04/25] ima: Align ima_inode_removexattr() definition with LSM infrastructure · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 4/25] ima: Align ima_inode_removexattr() definition with LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
[PATCH v9 13/25] security: Introduce file_release hook · Roberto Sassu <hidden> · 2024-01-15
Re: [PATCH v9 13/25] security: Introduce file_release hook · Al Viro <viro@zeniv.linux.org.uk> · 2024-01-15
Re: [PATCH v9 13/25] security: Introduce file_release hook · Roberto Sassu <hidden> · 2024-01-16
Re: [PATCH v9 13/25] security: Introduce file_release hook · Casey Schaufler <casey@schaufler-ca.com> · 2024-01-16
Re: [PATCH v9 13/25] security: Introduce file_release hook · Al Viro <viro@zeniv.linux.org.uk> · 2024-01-16
Re: [PATCH v9 13/25] security: Introduce file_release hook · Casey Schaufler <casey@schaufler-ca.com> · 2024-01-16
Re: [PATCH v9 13/25] security: Introduce file_release hook · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 13/25] security: Introduce file_release hook · Christian Brauner <brauner@kernel.org> · 2024-02-09
Re: [PATCH v9 13/25] security: Introduce file_release hook · Stefan Berger <stefanb@linux.ibm.com> · 2024-02-12
Re: [PATCH v9 0/25] security: Move IMA and EVM to the LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08
Re: [PATCH v9 0/25] security: Move IMA and EVM to the LSM infrastructure · Roberto Sassu <hidden> · 2024-02-08
Re: [PATCH v9 0/25] security: Move IMA and EVM to the LSM infrastructure · Paul Moore <paul@paul-moore.com> · 2024-02-08

From: Paul Moore <paul@paul-moore.com>
Date: 2024-02-08 03:18:46
Also in: keyrings, linux-fsdevel, linux-integrity, linux-kselftest, linux-nfs, lkml, selinux

On Jan 15, 2024 Roberto Sassu [off-list ref] wrote:

In preparation to move IMA and EVM to the LSM infrastructure, introduce the
file_post_open hook. Also, export security_file_post_open() for NFS.

Based on policy, IMA calculates the digest of the file content and
extends the TPM with the digest, verifies the file's integrity based on
the digest, and/or includes the file digest in the audit log.

LSMs could similarly take action depending on the file content and the
access mask requested with open().

The new hook returns a value and can cause the open to be aborted.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 fs/namei.c                    |  2 ++
 fs/nfsd/vfs.c                 |  6 ++++++
 include/linux/lsm_hook_defs.h |  1 +
 include/linux/security.h      |  6 ++++++
 security/security.c           | 17 +++++++++++++++++
 5 files changed, 32 insertions(+)

Acked-by: Paul Moore <paul@paul-moore.com>

--
paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help