diff mbox series

[v8,1/9] security: Create file_truncate hook from path_truncate hook

Message ID 20221001154908.49665-2-gnoack3000@gmail.com (mailing list archive)
State Handled Elsewhere
Headers show
Series landlock: truncate support | expand

Commit Message

Günther Noack Oct. 1, 2022, 3:49 p.m. UTC
Like path_truncate, the file_truncate hook also restricts file
truncation, but is called in the cases where truncation is attempted
on an already-opened file.

This is required in a subsequent commit to handle ftruncate()
operations differently to truncate() operations.

Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 fs/namei.c                    |  2 +-
 fs/open.c                     |  2 +-
 include/linux/lsm_hook_defs.h |  1 +
 include/linux/lsm_hooks.h     | 10 +++++++++-
 include/linux/security.h      |  6 ++++++
 security/apparmor/lsm.c       |  6 ++++++
 security/security.c           |  5 +++++
 security/tomoyo/tomoyo.c      | 13 +++++++++++++
 8 files changed, 42 insertions(+), 3 deletions(-)

Comments

Mickaël Salaün Oct. 5, 2022, 6:53 p.m. UTC | #1
Thanks for the doc.

On 01/10/2022 17:49, Günther Noack wrote:
> Like path_truncate, the file_truncate hook also restricts file
> truncation, but is called in the cases where truncation is attempted
> on an already-opened file.
> 
> This is required in a subsequent commit to handle ftruncate()
> operations differently to truncate() operations.
> 
> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Acked-by: John Johansen <john.johansen@canonical.com>
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
>   fs/namei.c                    |  2 +-
>   fs/open.c                     |  2 +-
>   include/linux/lsm_hook_defs.h |  1 +
>   include/linux/lsm_hooks.h     | 10 +++++++++-
>   include/linux/security.h      |  6 ++++++
>   security/apparmor/lsm.c       |  6 ++++++
>   security/security.c           |  5 +++++
>   security/tomoyo/tomoyo.c      | 13 +++++++++++++
>   8 files changed, 42 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/namei.c b/fs/namei.c
> index 53b4bc094db2..0e419bd30f8e 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -3211,7 +3211,7 @@ static int handle_truncate(struct user_namespace *mnt_userns, struct file *filp)
>   	if (error)
>   		return error;
>   
> -	error = security_path_truncate(path);
> +	error = security_file_truncate(filp);
>   	if (!error) {
>   		error = do_truncate(mnt_userns, path->dentry, 0,
>   				    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
> diff --git a/fs/open.c b/fs/open.c
> index cf7e5c350a54..0fa861873245 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -188,7 +188,7 @@ long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
>   	if (IS_APPEND(file_inode(f.file)))
>   		goto out_putf;
>   	sb_start_write(inode->i_sb);
> -	error = security_path_truncate(&f.file->f_path);
> +	error = security_file_truncate(f.file);
>   	if (!error)
>   		error = do_truncate(file_mnt_user_ns(f.file), dentry, length,
>   				    ATTR_MTIME | ATTR_CTIME, f.file);
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 60fff133c0b1..dee35ab253ba 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -177,6 +177,7 @@ LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
>   	 struct fown_struct *fown, int sig)
>   LSM_HOOK(int, 0, file_receive, struct file *file)
>   LSM_HOOK(int, 0, file_open, struct file *file)
> +LSM_HOOK(int, 0, file_truncate, struct file *file)
>   LSM_HOOK(int, 0, task_alloc, struct task_struct *task,
>   	 unsigned long clone_flags)
>   LSM_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task)
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 3aa6030302f5..4acc975f28d9 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -409,7 +409,9 @@
>    *	@attr is the iattr structure containing the new file attributes.
>    *	Return 0 if permission is granted.
>    * @path_truncate:
> - *	Check permission before truncating a file.
> + *	Check permission before truncating the file indicated by path.
> + *      Note that truncation permissions may also be checked based on
> + *      already opened files, using the @file_truncate hook.

The documentation comments (mostly) use tabs, not spaces.


>    *	@path contains the path structure for the file.
>    *	Return 0 if permission is granted.
>    * @inode_getattr:
> @@ -598,6 +600,12 @@
>    *	to receive an open file descriptor via socket IPC.
>    *	@file contains the file structure being received.
>    *	Return 0 if permission is granted.
> + * @file_truncate:
> + *	Check permission before truncating a file, i.e. using ftruncate.
> + *	Note that truncation permission may also be checked based on the path,
> + *      using the @path_truncate hook.

Same here.


> + *	@file contains the file structure for the file.
> + *	Return 0 if permission is granted.
>    * @file_open:
>    *	Save open-time permission checking state for later use upon
>    *	file_permission, and recheck access if anything has changed
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 7bd0c490703d..f80b23382dd9 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -394,6 +394,7 @@ int security_file_send_sigiotask(struct task_struct *tsk,
>   				 struct fown_struct *fown, int sig);
>   int security_file_receive(struct file *file);
>   int security_file_open(struct file *file);
> +int security_file_truncate(struct file *file);
>   int security_task_alloc(struct task_struct *task, unsigned long clone_flags);
>   void security_task_free(struct task_struct *task);
>   int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
> @@ -1011,6 +1012,11 @@ static inline int security_file_open(struct file *file)
>   	return 0;
>   }
>   
> +static inline int security_file_truncate(struct file *file)
> +{
> +	return 0;
> +}
> +
>   static inline int security_task_alloc(struct task_struct *task,
>   				      unsigned long clone_flags)
>   {
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index e29cade7b662..98ecb7f221b8 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -329,6 +329,11 @@ static int apparmor_path_truncate(const struct path *path)
>   	return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
>   }
>   
> +static int apparmor_file_truncate(struct file *file)
> +{
> +	return apparmor_path_truncate(&file->f_path);
> +}
> +
>   static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
>   				 const char *old_name)
>   {
> @@ -1232,6 +1237,7 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
>   	LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
>   	LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
>   	LSM_HOOK_INIT(file_lock, apparmor_file_lock),
> +	LSM_HOOK_INIT(file_truncate, apparmor_file_truncate),
>   
>   	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
>   	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
> diff --git a/security/security.c b/security/security.c
> index 4b95de24bc8d..d73e423005c3 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1650,6 +1650,11 @@ int security_file_open(struct file *file)
>   	return fsnotify_perm(file, MAY_OPEN);
>   }
>   
> +int security_file_truncate(struct file *file)
> +{
> +	return call_int_hook(file_truncate, 0, file);
> +}
> +
>   int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
>   {
>   	int rc = lsm_task_alloc(task);
> diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> index 71e82d855ebf..af04a7b7eb28 100644
> --- a/security/tomoyo/tomoyo.c
> +++ b/security/tomoyo/tomoyo.c
> @@ -134,6 +134,18 @@ static int tomoyo_path_truncate(const struct path *path)
>   	return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path, NULL);
>   }
>   
> +/**
> + * tomoyo_file_truncate - Target for security_file_truncate().
> + *
> + * @file: Pointer to "struct file".
> + *
> + * Returns 0 on success, negative value otherwise.
> + */
> +static int tomoyo_file_truncate(struct file *file)
> +{
> +	return tomoyo_path_truncate(&file->f_path);
> +}
> +
>   /**
>    * tomoyo_path_unlink - Target for security_path_unlink().
>    *
> @@ -545,6 +557,7 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
>   	LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
>   	LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
>   	LSM_HOOK_INIT(file_open, tomoyo_file_open),
> +	LSM_HOOK_INIT(file_truncate, tomoyo_file_truncate),
>   	LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
>   	LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
>   	LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),
Paul Moore Oct. 6, 2022, 1:10 a.m. UTC | #2
On Sat, Oct 1, 2022 at 11:49 AM Günther Noack <gnoack3000@gmail.com> wrote:
>
> Like path_truncate, the file_truncate hook also restricts file
> truncation, but is called in the cases where truncation is attempted
> on an already-opened file.
>
> This is required in a subsequent commit to handle ftruncate()
> operations differently to truncate() operations.
>
> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Acked-by: John Johansen <john.johansen@canonical.com>
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
>  fs/namei.c                    |  2 +-
>  fs/open.c                     |  2 +-
>  include/linux/lsm_hook_defs.h |  1 +
>  include/linux/lsm_hooks.h     | 10 +++++++++-
>  include/linux/security.h      |  6 ++++++
>  security/apparmor/lsm.c       |  6 ++++++
>  security/security.c           |  5 +++++
>  security/tomoyo/tomoyo.c      | 13 +++++++++++++
>  8 files changed, 42 insertions(+), 3 deletions(-)

I agree with Mickaël's comments regarding the formatting, but
otherwise it looks okay to me from a LSM perspective.  If you make the
whitespace changes you can add my ACK.

Acked-by: Paul Moore <paul@paul-moore.com>
Günther Noack Oct. 8, 2022, 7:45 a.m. UTC | #3
On Wed, Oct 05, 2022 at 08:53:35PM +0200, Mickaël Salaün wrote:
> Thanks for the doc.
> 
> On 01/10/2022 17:49, Günther Noack wrote:
> > Like path_truncate, the file_truncate hook also restricts file
> > truncation, but is called in the cases where truncation is attempted
> > on an already-opened file.
> > 
> > This is required in a subsequent commit to handle ftruncate()
> > operations differently to truncate() operations.
> > 
> > Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Acked-by: John Johansen <john.johansen@canonical.com>
> > Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> > ---
> >   fs/namei.c                    |  2 +-
> >   fs/open.c                     |  2 +-
> >   include/linux/lsm_hook_defs.h |  1 +
> >   include/linux/lsm_hooks.h     | 10 +++++++++-
> >   include/linux/security.h      |  6 ++++++
> >   security/apparmor/lsm.c       |  6 ++++++
> >   security/security.c           |  5 +++++
> >   security/tomoyo/tomoyo.c      | 13 +++++++++++++
> >   8 files changed, 42 insertions(+), 3 deletions(-)
> > 
> > diff --git a/fs/namei.c b/fs/namei.c
> > index 53b4bc094db2..0e419bd30f8e 100644
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -3211,7 +3211,7 @@ static int handle_truncate(struct user_namespace *mnt_userns, struct file *filp)
> >   	if (error)
> >   		return error;
> > -	error = security_path_truncate(path);
> > +	error = security_file_truncate(filp);
> >   	if (!error) {
> >   		error = do_truncate(mnt_userns, path->dentry, 0,
> >   				    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
> > diff --git a/fs/open.c b/fs/open.c
> > index cf7e5c350a54..0fa861873245 100644
> > --- a/fs/open.c
> > +++ b/fs/open.c
> > @@ -188,7 +188,7 @@ long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
> >   	if (IS_APPEND(file_inode(f.file)))
> >   		goto out_putf;
> >   	sb_start_write(inode->i_sb);
> > -	error = security_path_truncate(&f.file->f_path);
> > +	error = security_file_truncate(f.file);
> >   	if (!error)
> >   		error = do_truncate(file_mnt_user_ns(f.file), dentry, length,
> >   				    ATTR_MTIME | ATTR_CTIME, f.file);
> > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> > index 60fff133c0b1..dee35ab253ba 100644
> > --- a/include/linux/lsm_hook_defs.h
> > +++ b/include/linux/lsm_hook_defs.h
> > @@ -177,6 +177,7 @@ LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
> >   	 struct fown_struct *fown, int sig)
> >   LSM_HOOK(int, 0, file_receive, struct file *file)
> >   LSM_HOOK(int, 0, file_open, struct file *file)
> > +LSM_HOOK(int, 0, file_truncate, struct file *file)
> >   LSM_HOOK(int, 0, task_alloc, struct task_struct *task,
> >   	 unsigned long clone_flags)
> >   LSM_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task)
> > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> > index 3aa6030302f5..4acc975f28d9 100644
> > --- a/include/linux/lsm_hooks.h
> > +++ b/include/linux/lsm_hooks.h
> > @@ -409,7 +409,9 @@
> >    *	@attr is the iattr structure containing the new file attributes.
> >    *	Return 0 if permission is granted.
> >    * @path_truncate:
> > - *	Check permission before truncating a file.
> > + *	Check permission before truncating the file indicated by path.
> > + *      Note that truncation permissions may also be checked based on
> > + *      already opened files, using the @file_truncate hook.
> 
> The documentation comments (mostly) use tabs, not spaces.

Oops, well spotted. Done.

> >    *	@path contains the path structure for the file.
> >    *	Return 0 if permission is granted.
> >    * @inode_getattr:
> > @@ -598,6 +600,12 @@
> >    *	to receive an open file descriptor via socket IPC.
> >    *	@file contains the file structure being received.
> >    *	Return 0 if permission is granted.
> > + * @file_truncate:
> > + *	Check permission before truncating a file, i.e. using ftruncate.
> > + *	Note that truncation permission may also be checked based on the path,
> > + *      using the @path_truncate hook.
> 
> Same here.

Done.

> > + *	@file contains the file structure for the file.
> > + *	Return 0 if permission is granted.
> >    * @file_open:
> >    *	Save open-time permission checking state for later use upon
> >    *	file_permission, and recheck access if anything has changed
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index 7bd0c490703d..f80b23382dd9 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -394,6 +394,7 @@ int security_file_send_sigiotask(struct task_struct *tsk,
> >   				 struct fown_struct *fown, int sig);
> >   int security_file_receive(struct file *file);
> >   int security_file_open(struct file *file);
> > +int security_file_truncate(struct file *file);
> >   int security_task_alloc(struct task_struct *task, unsigned long clone_flags);
> >   void security_task_free(struct task_struct *task);
> >   int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
> > @@ -1011,6 +1012,11 @@ static inline int security_file_open(struct file *file)
> >   	return 0;
> >   }
> > +static inline int security_file_truncate(struct file *file)
> > +{
> > +	return 0;
> > +}
> > +
> >   static inline int security_task_alloc(struct task_struct *task,
> >   				      unsigned long clone_flags)
> >   {
> > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > index e29cade7b662..98ecb7f221b8 100644
> > --- a/security/apparmor/lsm.c
> > +++ b/security/apparmor/lsm.c
> > @@ -329,6 +329,11 @@ static int apparmor_path_truncate(const struct path *path)
> >   	return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
> >   }
> > +static int apparmor_file_truncate(struct file *file)
> > +{
> > +	return apparmor_path_truncate(&file->f_path);
> > +}
> > +
> >   static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
> >   				 const char *old_name)
> >   {
> > @@ -1232,6 +1237,7 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
> >   	LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
> >   	LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
> >   	LSM_HOOK_INIT(file_lock, apparmor_file_lock),
> > +	LSM_HOOK_INIT(file_truncate, apparmor_file_truncate),
> >   	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
> >   	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
> > diff --git a/security/security.c b/security/security.c
> > index 4b95de24bc8d..d73e423005c3 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -1650,6 +1650,11 @@ int security_file_open(struct file *file)
> >   	return fsnotify_perm(file, MAY_OPEN);
> >   }
> > +int security_file_truncate(struct file *file)
> > +{
> > +	return call_int_hook(file_truncate, 0, file);
> > +}
> > +
> >   int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
> >   {
> >   	int rc = lsm_task_alloc(task);
> > diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> > index 71e82d855ebf..af04a7b7eb28 100644
> > --- a/security/tomoyo/tomoyo.c
> > +++ b/security/tomoyo/tomoyo.c
> > @@ -134,6 +134,18 @@ static int tomoyo_path_truncate(const struct path *path)
> >   	return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path, NULL);
> >   }
> > +/**
> > + * tomoyo_file_truncate - Target for security_file_truncate().
> > + *
> > + * @file: Pointer to "struct file".
> > + *
> > + * Returns 0 on success, negative value otherwise.
> > + */
> > +static int tomoyo_file_truncate(struct file *file)
> > +{
> > +	return tomoyo_path_truncate(&file->f_path);
> > +}
> > +
> >   /**
> >    * tomoyo_path_unlink - Target for security_path_unlink().
> >    *
> > @@ -545,6 +557,7 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
> >   	LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
> >   	LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
> >   	LSM_HOOK_INIT(file_open, tomoyo_file_open),
> > +	LSM_HOOK_INIT(file_truncate, tomoyo_file_truncate),
> >   	LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
> >   	LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
> >   	LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),

--
diff mbox series

Patch

diff --git a/fs/namei.c b/fs/namei.c
index 53b4bc094db2..0e419bd30f8e 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3211,7 +3211,7 @@  static int handle_truncate(struct user_namespace *mnt_userns, struct file *filp)
 	if (error)
 		return error;
 
-	error = security_path_truncate(path);
+	error = security_file_truncate(filp);
 	if (!error) {
 		error = do_truncate(mnt_userns, path->dentry, 0,
 				    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
diff --git a/fs/open.c b/fs/open.c
index cf7e5c350a54..0fa861873245 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -188,7 +188,7 @@  long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
 	if (IS_APPEND(file_inode(f.file)))
 		goto out_putf;
 	sb_start_write(inode->i_sb);
-	error = security_path_truncate(&f.file->f_path);
+	error = security_file_truncate(f.file);
 	if (!error)
 		error = do_truncate(file_mnt_user_ns(f.file), dentry, length,
 				    ATTR_MTIME | ATTR_CTIME, f.file);
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 60fff133c0b1..dee35ab253ba 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -177,6 +177,7 @@  LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
 	 struct fown_struct *fown, int sig)
 LSM_HOOK(int, 0, file_receive, struct file *file)
 LSM_HOOK(int, 0, file_open, struct file *file)
+LSM_HOOK(int, 0, file_truncate, struct file *file)
 LSM_HOOK(int, 0, task_alloc, struct task_struct *task,
 	 unsigned long clone_flags)
 LSM_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 3aa6030302f5..4acc975f28d9 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -409,7 +409,9 @@ 
  *	@attr is the iattr structure containing the new file attributes.
  *	Return 0 if permission is granted.
  * @path_truncate:
- *	Check permission before truncating a file.
+ *	Check permission before truncating the file indicated by path.
+ *      Note that truncation permissions may also be checked based on
+ *      already opened files, using the @file_truncate hook.
  *	@path contains the path structure for the file.
  *	Return 0 if permission is granted.
  * @inode_getattr:
@@ -598,6 +600,12 @@ 
  *	to receive an open file descriptor via socket IPC.
  *	@file contains the file structure being received.
  *	Return 0 if permission is granted.
+ * @file_truncate:
+ *	Check permission before truncating a file, i.e. using ftruncate.
+ *	Note that truncation permission may also be checked based on the path,
+ *      using the @path_truncate hook.
+ *	@file contains the file structure for the file.
+ *	Return 0 if permission is granted.
  * @file_open:
  *	Save open-time permission checking state for later use upon
  *	file_permission, and recheck access if anything has changed
diff --git a/include/linux/security.h b/include/linux/security.h
index 7bd0c490703d..f80b23382dd9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -394,6 +394,7 @@  int security_file_send_sigiotask(struct task_struct *tsk,
 				 struct fown_struct *fown, int sig);
 int security_file_receive(struct file *file);
 int security_file_open(struct file *file);
+int security_file_truncate(struct file *file);
 int security_task_alloc(struct task_struct *task, unsigned long clone_flags);
 void security_task_free(struct task_struct *task);
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
@@ -1011,6 +1012,11 @@  static inline int security_file_open(struct file *file)
 	return 0;
 }
 
+static inline int security_file_truncate(struct file *file)
+{
+	return 0;
+}
+
 static inline int security_task_alloc(struct task_struct *task,
 				      unsigned long clone_flags)
 {
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e29cade7b662..98ecb7f221b8 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -329,6 +329,11 @@  static int apparmor_path_truncate(const struct path *path)
 	return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
 }
 
+static int apparmor_file_truncate(struct file *file)
+{
+	return apparmor_path_truncate(&file->f_path);
+}
+
 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
 				 const char *old_name)
 {
@@ -1232,6 +1237,7 @@  static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
 	LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
 	LSM_HOOK_INIT(file_lock, apparmor_file_lock),
+	LSM_HOOK_INIT(file_truncate, apparmor_file_truncate),
 
 	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
 	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
diff --git a/security/security.c b/security/security.c
index 4b95de24bc8d..d73e423005c3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1650,6 +1650,11 @@  int security_file_open(struct file *file)
 	return fsnotify_perm(file, MAY_OPEN);
 }
 
+int security_file_truncate(struct file *file)
+{
+	return call_int_hook(file_truncate, 0, file);
+}
+
 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
 {
 	int rc = lsm_task_alloc(task);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 71e82d855ebf..af04a7b7eb28 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -134,6 +134,18 @@  static int tomoyo_path_truncate(const struct path *path)
 	return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path, NULL);
 }
 
+/**
+ * tomoyo_file_truncate - Target for security_file_truncate().
+ *
+ * @file: Pointer to "struct file".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tomoyo_file_truncate(struct file *file)
+{
+	return tomoyo_path_truncate(&file->f_path);
+}
+
 /**
  * tomoyo_path_unlink - Target for security_path_unlink().
  *
@@ -545,6 +557,7 @@  static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
 	LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
 	LSM_HOOK_INIT(file_open, tomoyo_file_open),
+	LSM_HOOK_INIT(file_truncate, tomoyo_file_truncate),
 	LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
 	LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
 	LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),