Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4551733pxb; Thu, 14 Oct 2021 07:28:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx7roI6pzAaAG4EsLQH6hsr9CtSy4RsryOtIhH9tTvsaqq4YZoKbNhJnU3uX4gCzu6jQgRI X-Received: by 2002:a17:90a:67c1:: with SMTP id g1mr6729867pjm.177.1634221733831; Thu, 14 Oct 2021 07:28:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634221733; cv=none; d=google.com; s=arc-20160816; b=MWWKHvBp4VbWuvFXdAxk54PGpZRztsRdmlyoPPVE/81ym7e7okjeGBkEhKNXXana2D tGo1YOv+fFStv8UskKNEkn3GzMD988xNmRvwSRjMEkAfv6bcX117G+df+QFHZJMXHb1e wDBR0qm/D8yD75Us+fxFeC0q1mn7ctfdlsiwk8Z5YT/tmIQyvVZnA/Pl+URmyX5R89y3 vc5lkAUam1+2HS+Q2TqcbkwwBSbT/cLRh5xLq3dpt1A+D0E5BHTuxbKGbunyVg/Xwrgd 21MFQ7DBS5D6ZX45K2hahbTmXX4+R4gF/ihDvdYymY3yTAUMe4VehxP7FYHh9tUv0xqq dYyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=RQwZSVnWRQfmUby1fOBEr0l1Q2Bj7qzzRHKtNjsAO6I=; b=Ey3lMmS7M6vp6B9kihOh1t3rJpADYpC9jluUH0J+3wEehsh36ae8Bp+GEBluruh3zw qUw21b2gsI3bAUk1YAQ4SIAV7uwnt3s1PKi5lNUPrISIpKAjmgrYAAgPRJ+unzGEVDcg JlxUFPJGeovPC/+QY56g5ZNLVebqCrSLYeXiqwosN5SgJn7VD0PLIWjHvOvJwuMYpHHF 2keqd1SHgX4Q9BfepQ20ckihA4Ml0t+NuDJarM5ZuT1xeIkmsF4rAUqqkpncWok8LoqN AhPV/n7Feju7JXw95RxAWtzDlAD2fCbGK/2nBUy2GqH8iGWtyOVS0rATVRBT5yZGuRyD +8Kg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=bQaLuzpa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y4si3560474pfq.244.2021.10.14.07.28.19; Thu, 14 Oct 2021 07:28:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=bQaLuzpa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231511AbhJNNGO (ORCPT + 99 others); Thu, 14 Oct 2021 09:06:14 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:63370 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S231300AbhJNNGN (ORCPT ); Thu, 14 Oct 2021 09:06:13 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 19EB24Nn007542; Thu, 14 Oct 2021 09:04:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=RQwZSVnWRQfmUby1fOBEr0l1Q2Bj7qzzRHKtNjsAO6I=; b=bQaLuzpaMK+4ujE3LQv7M3fBh5QJd4TQmeDID4duiDNleklsk7Cuk236hqjTFoJapE07 UJ1N6/KrzozD887FRmW2Tu8GMOEsf/mqSaCwyFyRg0m6Z627U+Cwf/i6wPG4zpRIgWyG c4Q+QaGY8UoS6wDkDZX8GzTkZ3TVrdk2Xv9bTrmRESO4px/fSc1JEaPOTPSvOoySJfxO lQNjtmRfNlFZsQddzBfH2ADb47JOXemCg6iQvmdQy5FXo2vGFjGMhqkQef36EDSUVChs bBzSRFZhhzfYdGDn0Od+exZpa2h45Cb4ubVODfWhEqZA1lZr8p2u/yr486YGs1yb0kd5 eQ== Received: from ppma05fra.de.ibm.com (6c.4a.5195.ip4.static.sl-reverse.com [149.81.74.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 3bnt94587f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 14 Oct 2021 09:03:44 -0400 Received: from pps.filterd (ppma05fra.de.ibm.com [127.0.0.1]) by ppma05fra.de.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 19ECprG6005422; Thu, 14 Oct 2021 13:01:35 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma05fra.de.ibm.com with ESMTP id 3bk2qaacfp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 14 Oct 2021 13:01:35 +0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 19ED1WcY47120886 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 14 Oct 2021 13:01:32 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A6102A4053; Thu, 14 Oct 2021 13:01:32 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 88633A4051; Thu, 14 Oct 2021 13:01:31 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com.com (unknown [9.160.55.249]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Oct 2021 13:01:31 +0000 (GMT) From: Mimi Zohar To: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Cc: Mimi Zohar , Al Viro , Andrew Morton , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Casey Schaufler Subject: [PATCH v1 2/3] fs: extend the trusted_for syscall to call IMA Date: Thu, 14 Oct 2021 09:01:24 -0400 Message-Id: <20211014130125.6991-2-zohar@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20211014130125.6991-1-zohar@linux.ibm.com> References: <20211014130125.6991-1-zohar@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: uFH-1qJrG5ogzbhdwb1f_520nqU1pz2B X-Proofpoint-ORIG-GUID: uFH-1qJrG5ogzbhdwb1f_520nqU1pz2B X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-10-14_03,2021-10-14_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 adultscore=0 phishscore=0 impostorscore=0 mlxlogscore=854 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110140084 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Extend the trusted_for syscall to call the newly defined ima_trusted_for hook. Signed-off-by: Mimi Zohar --- fs/open.c | 3 +++ include/linux/ima.h | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/fs/open.c b/fs/open.c index c79c138a638c..4d54e2a727e1 100644 --- a/fs/open.c +++ b/fs/open.c @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage, err = inode_permission(file_mnt_user_ns(f.file), inode, mask | MAY_ACCESS); + if (!err) + err = ima_trusted_for(f.file, usage); + out_fd: fdput(f); return err; diff --git a/include/linux/ima.h b/include/linux/ima.h index b6ab66a546ae..603df9932817 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -12,12 +12,15 @@ #include #include #include +#include struct linux_binprm; #ifdef CONFIG_IMA extern enum hash_algo ima_get_current_hash_algo(void); extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); +extern int ima_trusted_for(struct file *file, + const enum trusted_for_usage usage); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode); extern void ima_file_free(struct file *file); @@ -81,6 +84,12 @@ static inline int ima_file_check(struct file *file, int mask) return 0; } +static inline int ima_trusted_for(struct file *file, + const enum trusted_for_usage usage) +{ + return 0; +} + static inline void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode) { -- 2.27.0