diff mbox series

[13/28] security: Align inode_setattr hook definition with EVM

Message ID 20230303181842.1087717-14-roberto.sassu@huaweicloud.com (mailing list archive)
State New, archived
Delegated to: Paul Moore
Headers show
Series security: Move IMA and EVM to the LSM infrastructure | expand

Commit Message

Roberto Sassu March 3, 2023, 6:18 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>

Add the idmap parameter to the definition, so that evm_inode_setattr() can
be registered as this hook implementation.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 include/linux/lsm_hook_defs.h | 3 ++-
 security/security.c           | 2 +-
 security/selinux/hooks.c      | 3 ++-
 security/smack/smack_lsm.c    | 4 +++-
 4 files changed, 8 insertions(+), 4 deletions(-)

Comments

Casey Schaufler March 5, 2023, 12:42 a.m. UTC | #1
On 3/3/2023 10:18 AM, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> Add the idmap parameter to the definition, so that evm_inode_setattr() can
> be registered as this hook implementation.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

For the Smack bits:

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  include/linux/lsm_hook_defs.h | 3 ++-
>  security/security.c           | 2 +-
>  security/selinux/hooks.c      | 3 ++-
>  security/smack/smack_lsm.c    | 4 +++-
>  4 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 2e10945622a..4372a6b2632 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -133,7 +133,8 @@ LSM_HOOK(int, 0, inode_readlink, struct dentry *dentry)
>  LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode,
>  	 bool rcu)
>  LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask)
> -LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr)
> +LSM_HOOK(int, 0, inode_setattr, struct mnt_idmap *idmap, struct dentry *dentry,
> +	 struct iattr *attr)
>  LSM_HOOK(int, 0, inode_getattr, const struct path *path)
>  LSM_HOOK(int, 0, inode_setxattr, struct mnt_idmap *idmap,
>  	 struct dentry *dentry, const char *name, const void *value,
> diff --git a/security/security.c b/security/security.c
> index df6714aa19d..f7fe252e9d3 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2168,7 +2168,7 @@ int security_inode_setattr(struct mnt_idmap *idmap,
>  
>  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
>  		return 0;
> -	ret = call_int_hook(inode_setattr, 0, dentry, attr);
> +	ret = call_int_hook(inode_setattr, 0, idmap, dentry, attr);
>  	if (ret)
>  		return ret;
>  	return evm_inode_setattr(idmap, dentry, attr);
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3e4308dd336..b31ad6109b0 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3104,7 +3104,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)
>  	return rc;
>  }
>  
> -static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
> +static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
> +				 struct iattr *iattr)
>  {
>  	const struct cred *cred = current_cred();
>  	struct inode *inode = d_backing_inode(dentry);
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 598b398c62e..09cfd3c31dc 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -1173,12 +1173,14 @@ static int smack_inode_permission(struct inode *inode, int mask)
>  
>  /**
>   * smack_inode_setattr - Smack check for setting attributes
> + * @idmap: idmap of the mount
>   * @dentry: the object
>   * @iattr: for the force flag
>   *
>   * Returns 0 if access is permitted, an error code otherwise
>   */
> -static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
> +static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
> +			       struct iattr *iattr)
>  {
>  	struct smk_audit_info ad;
>  	int rc;
Stefan Berger March 6, 2023, 5:06 p.m. UTC | #2
On 3/3/23 13:18, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Add the idmap parameter to the definition, so that evm_inode_setattr() can
> be registered as this hook implementation.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
diff mbox series

Patch

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 2e10945622a..4372a6b2632 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -133,7 +133,8 @@  LSM_HOOK(int, 0, inode_readlink, struct dentry *dentry)
 LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode,
 	 bool rcu)
 LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask)
-LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr)
+LSM_HOOK(int, 0, inode_setattr, struct mnt_idmap *idmap, struct dentry *dentry,
+	 struct iattr *attr)
 LSM_HOOK(int, 0, inode_getattr, const struct path *path)
 LSM_HOOK(int, 0, inode_setxattr, struct mnt_idmap *idmap,
 	 struct dentry *dentry, const char *name, const void *value,
diff --git a/security/security.c b/security/security.c
index df6714aa19d..f7fe252e9d3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2168,7 +2168,7 @@  int security_inode_setattr(struct mnt_idmap *idmap,
 
 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
 		return 0;
-	ret = call_int_hook(inode_setattr, 0, dentry, attr);
+	ret = call_int_hook(inode_setattr, 0, idmap, dentry, attr);
 	if (ret)
 		return ret;
 	return evm_inode_setattr(idmap, dentry, attr);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3e4308dd336..b31ad6109b0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3104,7 +3104,8 @@  static int selinux_inode_permission(struct inode *inode, int mask)
 	return rc;
 }
 
-static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
+static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+				 struct iattr *iattr)
 {
 	const struct cred *cred = current_cred();
 	struct inode *inode = d_backing_inode(dentry);
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 598b398c62e..09cfd3c31dc 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1173,12 +1173,14 @@  static int smack_inode_permission(struct inode *inode, int mask)
 
 /**
  * smack_inode_setattr - Smack check for setting attributes
+ * @idmap: idmap of the mount
  * @dentry: the object
  * @iattr: for the force flag
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
+static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+			       struct iattr *iattr)
 {
 	struct smk_audit_info ad;
 	int rc;