Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3562516pxb; Wed, 13 Oct 2021 08:27:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbdsOCGrt+hErPyfxUZYz3j7nPqq/J0wmEqUx/J1elnqZavl4EqS4056FTwv1hp2KtquAN X-Received: by 2002:a17:906:f208:: with SMTP id gt8mr166326ejb.522.1634138871100; Wed, 13 Oct 2021 08:27:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634138871; cv=none; d=google.com; s=arc-20160816; b=YSMRNYolLNeaKQlggFszBY7ARiXqsAiD0ipkRjtxD1va7tBBt6V9qbRHm31Q75zHBK hfYG/HBntvh7glARfegJfudmX3jana/efvcXyeGWHJyKkc05ohElOixIXS1OXqa9U0V8 CqiEJduU8UEXXrPMcF0C7lLjGgT8Idj9PY+TRjguvVNVurOfX6POwqDvji7VWQHdqoAZ dX8QC5dsqOTKhfHGIcBp8RtEeMTT6gzSF9dohhMTpefEleacioEvZODpyux47zBeq+Sy bs+VlxvzqjP946IigJeSBLj9e0bqLDhtvJ5OdgSkA2ba19/QKcYLDCxv0gVSNJlzw2nw X7ZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=vJwO9e3uVRqh5qqBnhVyzXDx+iR6cEXlezP0Qs/Uvb4=; b=hsvJsfpzE7m/LQ9A7zM2rR39CNE6j00hGC08gLe1WZsgOCwSte5kqkBCAkNKbHjpvv i+fxA7tcAx4lwwdt3nVGFHgiHY+dDOVI6oH8G+WYQjcSbRDjavwosePSA/5M5Vb+IEQ+ rfg7Zoa60s6w5qM9PeY1UKcsfx9EbYgMBj7DIPEh8/20HL+461jUlKQm5mf7KJrXz0Jq mhS3Ijgi320hk5F34bk2tdYOWEDkJ2y9Z7BEVuFjMi+pTm/LlW7n48P96zujwGMQux7U HZt4OmVil+hwJXSNkh2iDY5MP8MV3ZahFA1in9DhLCGrQzJPDAAhUnbdOQnRByK/Bf4v gCKw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rn22si19581918ejb.276.2021.10.13.08.27.25; Wed, 13 Oct 2021 08:27:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229915AbhJMP1n (ORCPT + 99 others); Wed, 13 Oct 2021 11:27:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229664AbhJMP1m (ORCPT ); Wed, 13 Oct 2021 11:27:42 -0400 Received: from smtp-42ab.mail.infomaniak.ch (smtp-42ab.mail.infomaniak.ch [IPv6:2001:1600:3:17::42ab]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E9FDC061570 for ; Wed, 13 Oct 2021 08:25:39 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4HTxDx2kspzMqDVQ; Wed, 13 Oct 2021 17:25:37 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4HTxDv6zF2zlh8TG; Wed, 13 Oct 2021 17:25:35 +0200 (CEST) Subject: Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA To: Mimi Zohar Cc: Al Viro , Andrew Morton , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org References: <20211013110113.13239-1-zohar@linux.ibm.com> <20211013110113.13239-2-zohar@linux.ibm.com> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: Date: Wed, 13 Oct 2021 17:26:32 +0200 User-Agent: MIME-Version: 1.0 In-Reply-To: <20211013110113.13239-2-zohar@linux.ibm.com> Content-Type: text/plain; charset=iso-8859-15 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Nice! On 13/10/2021 13:01, Mimi Zohar wrote: > Extend the trusted_for syscall to call the newly defined > ima_trusted_for hook. > > Signed-off-by: Mimi Zohar > --- > fs/open.c | 3 +++ > include/linux/ima.h | 9 +++++++++ > 2 files changed, 12 insertions(+) > > diff --git a/fs/open.c b/fs/open.c > index c79c138a638c..4d54e2a727e1 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage, > err = inode_permission(file_mnt_user_ns(f.file), inode, > mask | MAY_ACCESS); > > + if (!err) > + err = ima_trusted_for(f.file, usage); Could you please implement a new LSM hook instead? Other LSMs may want to use this information as well.