Message ID | 20230303181842.1087717-14-roberto.sassu@huaweicloud.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | security: Move IMA and EVM to the LSM infrastructure | expand |
On 3/3/2023 10:18 AM, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > Add the idmap parameter to the definition, so that evm_inode_setattr() can > be registered as this hook implementation. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> For the Smack bits: Acked-by: Casey Schaufler <casey@schaufler-ca.com> > --- > include/linux/lsm_hook_defs.h | 3 ++- > security/security.c | 2 +- > security/selinux/hooks.c | 3 ++- > security/smack/smack_lsm.c | 4 +++- > 4 files changed, 8 insertions(+), 4 deletions(-) > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index 2e10945622a..4372a6b2632 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -133,7 +133,8 @@ LSM_HOOK(int, 0, inode_readlink, struct dentry *dentry) > LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode, > bool rcu) > LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask) > -LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr) > +LSM_HOOK(int, 0, inode_setattr, struct mnt_idmap *idmap, struct dentry *dentry, > + struct iattr *attr) > LSM_HOOK(int, 0, inode_getattr, const struct path *path) > LSM_HOOK(int, 0, inode_setxattr, struct mnt_idmap *idmap, > struct dentry *dentry, const char *name, const void *value, > diff --git a/security/security.c b/security/security.c > index df6714aa19d..f7fe252e9d3 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2168,7 +2168,7 @@ int security_inode_setattr(struct mnt_idmap *idmap, > > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > return 0; > - ret = call_int_hook(inode_setattr, 0, dentry, attr); > + ret = call_int_hook(inode_setattr, 0, idmap, dentry, attr); > if (ret) > return ret; > return evm_inode_setattr(idmap, dentry, attr); > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3e4308dd336..b31ad6109b0 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3104,7 +3104,8 @@ static int selinux_inode_permission(struct inode *inode, int mask) > return rc; > } > > -static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) > +static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, > + struct iattr *iattr) > { > const struct cred *cred = current_cred(); > struct inode *inode = d_backing_inode(dentry); > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index 598b398c62e..09cfd3c31dc 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -1173,12 +1173,14 @@ static int smack_inode_permission(struct inode *inode, int mask) > > /** > * smack_inode_setattr - Smack check for setting attributes > + * @idmap: idmap of the mount > * @dentry: the object > * @iattr: for the force flag > * > * Returns 0 if access is permitted, an error code otherwise > */ > -static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) > +static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, > + struct iattr *iattr) > { > struct smk_audit_info ad; > int rc;
On 3/3/23 13:18, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > Add the idmap parameter to the definition, so that evm_inode_setattr() can > be registered as this hook implementation. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 2e10945622a..4372a6b2632 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -133,7 +133,8 @@ LSM_HOOK(int, 0, inode_readlink, struct dentry *dentry) LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode, bool rcu) LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask) -LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr) +LSM_HOOK(int, 0, inode_setattr, struct mnt_idmap *idmap, struct dentry *dentry, + struct iattr *attr) LSM_HOOK(int, 0, inode_getattr, const struct path *path) LSM_HOOK(int, 0, inode_setxattr, struct mnt_idmap *idmap, struct dentry *dentry, const char *name, const void *value, diff --git a/security/security.c b/security/security.c index df6714aa19d..f7fe252e9d3 100644 --- a/security/security.c +++ b/security/security.c @@ -2168,7 +2168,7 @@ int security_inode_setattr(struct mnt_idmap *idmap, if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - ret = call_int_hook(inode_setattr, 0, dentry, attr); + ret = call_int_hook(inode_setattr, 0, idmap, dentry, attr); if (ret) return ret; return evm_inode_setattr(idmap, dentry, attr); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3e4308dd336..b31ad6109b0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3104,7 +3104,8 @@ static int selinux_inode_permission(struct inode *inode, int mask) return rc; } -static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) +static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + struct iattr *iattr) { const struct cred *cred = current_cred(); struct inode *inode = d_backing_inode(dentry); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 598b398c62e..09cfd3c31dc 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1173,12 +1173,14 @@ static int smack_inode_permission(struct inode *inode, int mask) /** * smack_inode_setattr - Smack check for setting attributes + * @idmap: idmap of the mount * @dentry: the object * @iattr: for the force flag * * Returns 0 if access is permitted, an error code otherwise */ -static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) +static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + struct iattr *iattr) { struct smk_audit_info ad; int rc;