Received: by 2002:a05:7412:3b8b:b0:fc:a2b0:25d7 with SMTP id nd11csp20291rdb; Wed, 7 Feb 2024 19:24:47 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXwkHP/Qhmnu4e6GLPTQV764SvVb3kF7V0FUXKc8B1rcPg23wAomKactHHACHEROf7Y1gHrGFeJDaJxqK27zD6ZPEfy7FRuCPVFKt259g== X-Google-Smtp-Source: AGHT+IFlFrpYS0LkYAHPjnkWOqrb2L79lJeVF/1v/ENUJ/+Hrs5gRmkIkuXW/xM1Qsi921v1LTF6 X-Received: by 2002:a5d:544e:0:b0:33b:3b9d:d6b4 with SMTP id w14-20020a5d544e000000b0033b3b9dd6b4mr4702097wrv.42.1707362687162; Wed, 07 Feb 2024 19:24:47 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707362687; cv=pass; d=google.com; s=arc-20160816; b=OerS0Ll3L6VydhbcufaagSJnbQ1uYcSkOOpqe/OY+sambVZXbDEcjC3RJ1xkTN8WhD rmFZRnOQmAZ+t+rE/TX1aveW6Fgp5/JSt1uFHiB9H18f/LU1eBIkxAa6qTTUD5y0aXvg ftInQ0jOeDOGNO6WVmLYRIjCWlTGq9Pt22G4VpYrXOTwxwkSFfwfeJlMdoP/OLI5PDob Sj56CQC1+ALY1fczuw+HA4Bdq/oz9G6AA1kFt69xyags3flv/ITl4yrnSe/CPXUM9t+g 3HHnHbR0oEgpVsJYDDb5f6b6vkcE+tB4Y7b3vyrC7YAJmvP5kV1X9YpnL8qbwwl1Kd3L kspg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :content-disposition:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:message-id:date:dkim-signature; bh=oNNChvp7enOHaGv67iirqEATQRVn6s2IBOKWY479Ikc=; fh=kBmM5zl6rilYN6fo+FQYKzif/0N9kWzrS8I5hX2B5VI=; b=ceg+qQRWUUs5wOK5UMj3EE4XVZNHz/lJ6ZTpQKfI90jK7K/1C1GRFyfrMgFzEDNrsj tezQeu8j0ELlaXfdVNdFbsAUZaIrGiyKX7C+ZDzkPEEdcTNqPAI4Ynulc5GUGInNFQmZ qB10+EM8OX3pk0mh1SZ6O1N990C5J51JFj8PBIDCY8bo1+6xWRAG68eK8blZfYRHLsQ9 vkM6MayS5aD/IKqp5ME9By/9P2kxsj8aXAXRMIn8JN2/u5G+5GyMw2XdoDwYmVPN+V// 5AXYoerIO9IfffE5CS0BZis4EJS+dZkpdRcdeQTKSQoS/F+hH06QvcinJCVgAvrvDZ4P eHwg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=Z7vS4RTV; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-nfs+bounces-1850-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1850-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com X-Forwarded-Encrypted: i=2; AJvYcCUsIuIibWyDmjK75iAYOwWoHHGJhWK2yVthtrFzl7e8yKJ1iQ0a4zJCOaBCSNqXKdXE2LA45WVAdLKRCQhF7P8gu5V5CjVTTVieIljLfA== Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id p14-20020a1709060e8e00b00a37e76ccf87si1678203ejf.717.2024.02.07.19.24.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Feb 2024 19:24:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs+bounces-1850-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=Z7vS4RTV; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-nfs+bounces-1850-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1850-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id DF2881F23B0F for ; Thu, 8 Feb 2024 03:24:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B04543A260; Thu, 8 Feb 2024 03:18:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="Z7vS4RTV" X-Original-To: linux-nfs@vger.kernel.org Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BAA41E4A0 for ; Thu, 8 Feb 2024 03:18:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707362338; cv=none; b=C+j9jFsfxXcfnTcqMsLrhN5Tfsde8iJYuLHcBRWsol7RMAEH42OXCg2z/8vp+UQYth2YOSqtnwiNyW424P6Q+loyPF4dRgrf8NZ+CVpDClbq3y26Uuc+uFhz5Q698rPF4JTrXx3MT6SIwyKN/K9ICeywdsXXmpCBvjZP2VTtkvk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707362338; c=relaxed/simple; bh=KnkOJYA+ZF6Kmru0kx63nfEJhN73el2zwXpVdx/vkaI=; h=Date:Message-ID:MIME-Version:Content-Type:Content-Disposition: From:To:Cc:Subject:References:In-Reply-To; b=JJjdl3YFU8H9pZONFaVTmYdtWrgbE6h3A6mr5aGlc/CqdDP+lG0OVHXKJBISe75l5qLl/dsqOYOydcpBKQjX2j7/7WjAyOWHYR5tM0W1XvNsbKiZ+Y1DnUg7j22wthT7DG6FVTItdDwur+8JobfHroZk43smbCeA4VGm4xuO2uo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=Z7vS4RTV; arc=none smtp.client-ip=209.85.160.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-42c2998d3a3so10196881cf.3 for ; Wed, 07 Feb 2024 19:18:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1707362333; x=1707967133; darn=vger.kernel.org; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :content-disposition:mime-version:message-id:date:from:to:cc:subject :date:message-id:reply-to; bh=oNNChvp7enOHaGv67iirqEATQRVn6s2IBOKWY479Ikc=; b=Z7vS4RTV1ce08w4cwCVtDzIGU4FeXT5p1y9uI9jS5wZOA7e0z/TMjreynydFroSFk6 e6SHQYCi010WedMqCS0roWlNds6qKlrItkkTrdRQQtk7UEqtu8KrRl0HP5NTdSNxV+Mc zT+Q41UO2jAKxo3nH+/Dy0tYOqQrxe6BGvjs3DEviw/M8Y4Rypuz7qmL5yjPDNPMjwG+ BFgQe5oz/vyRONgUqKIMoVcZlryiW+zdE9LUboCxf1c/jRDKFXVT3RkbW3th4WffJpRE wRd/DuroXE7cZflZbQUPsgO+b01l21V4Tfl+cg7NUai43FYqKguI7EKuhK3tQ1xOv6iT VfrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707362333; x=1707967133; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :content-disposition:mime-version:message-id:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=oNNChvp7enOHaGv67iirqEATQRVn6s2IBOKWY479Ikc=; b=Kof41AsQaaOYrNle6ocEKXmocIX8/DTN1QSwK308hns7WlNZ0/l5ibOwPg4z+89t45 1OaSbb80lcRNf5pySPe+zSL+sU7zYqYnZLrYhb/NmiFbYbxQrYyEnkzslN86waORWuPH Sl5jtQUhqaNM0/lSVfYJsRwUrggRBG96foCRxnz1pzunvT9NUsAA6x5jeQg8payxK+Xi wIqQfZj4inwV6ZvxSG+wZnSqHZ0kgVKIscEgTEXAlkKw/K3avvfPU/rJynLAXNmTiFdZ O36xmfiNxRg7jv43iYktTjH4mBsGvi0bnAt1RhgWqr5jE0A+aCdKgnKQ9eovdKJKkdL0 lv1w== X-Forwarded-Encrypted: i=1; AJvYcCVBJfYEBmQ9gN1DWrhRQRCJq+SQlmWCrTmWYJnq9iITY4gyaP/3fOH6vP/Do4T0GfrvF2g/T5D+JT6x9/WgCCG2c2N1jjQtqnHN X-Gm-Message-State: AOJu0YxqEfR1ZA2ph6Jm8Z26WgVNEFLUtZuuf/qlXBoWUUOT/aE+wHuz Jbuly1mWJ5aCJfSUj4TBRojI1DbmdxdNcLMYp3SQMG64uDO4YdpaIw0jgYJ/9Q== X-Received: by 2002:ac8:598f:0:b0:42c:3a06:8b86 with SMTP id e15-20020ac8598f000000b0042c3a068b86mr7365879qte.28.1707362333523; Wed, 07 Feb 2024 19:18:53 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCW+MlBOyTBXqYsiBUBCbCTQYgv9WrzN1WRMZFtdN7DaHfzyvziQLgUKZwi5r49UoaIul3keNp3G6d5WVnePnjnZq54XB877kwKSpQg2RtUZs4elW9Da/UBkitCLGyILr8adts/F0Ms67geTKWcnl8VyalaKstNF/xnV9zpTWCCmJAGzHH6UUuIrejbZAi+oZY5kGJxIxQF2msrb5rmhWBboiM4ABTNVYVLGx5tw5Jh6OKb3mJJRUmOGwWEoGZSd93GYk5hFv6deuwPUUt1bCwK4cBTLsGd4VPkfln4aX2R/YC4dLHw2PJBkfCI3lt/JriG5PtDTx1xwEpt34uNXDIM43pzdBP1IWlrs5CotTEqgfx9BHYCXJv5JaTjV5zI5Sjy5b3hxUXKdlqEJknjJ3usF6g3C4d91FxU5RSY8d4mZVZv+V3RXK4IOr2LQqmzOrktf+UTnsMjVaLt+9ZC3TK5XFVsXyfYFQfueCGxxkrGUqMeLxXFICO1y1et26DJRgepQOlG+7m8OcxHOuYWd4wAln/OA6k+hMEb0IB4iQbCvZy+YfC2eF8bmGeGSLDUZvlfSg8d6VnwmfXy0WjQTeJKuXR7mWs32UoIBFAhGK+VYiXZ4SKluiK327/qSzo2NkH+tChnJj20FTG5QqgSAs9RBwsEeUmJuFwle0hRLadYXvcjXGfUBwMrwxsv/v3DvWULzRmte7ly/R6a8VTZlFhSiZyQMUi40bkZ7LEIBh6PwjaTZJGkTDmb9dg4VLqVFIhWqescVHhQnEu+9qk3F6lMubdHcQ1RbCpQQDq7e71QomHLmKUssrSTGooO6irxrT+XcAhe5+mtrU/XJR7l3wkT24MCfSJTuGqN800PqsahxbuT/HQW3NnYrwpMMjdckerq5ypm/rsizhlcIC6h5sII6Zs8YqfoDZaJVrppd5+TDUpZm4ejzjCwyIk0+JdV9h8bDaa Rl1yci/c5GEho= Received: from localhost ([70.22.175.108]) by smtp.gmail.com with ESMTPSA id f8-20020a05622a104800b0042c46268a33sm606763qte.12.2024.02.07.19.18.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Feb 2024 19:18:53 -0800 (PST) Date: Wed, 07 Feb 2024 22:18:52 -0500 Message-ID: <9c2caad915fc512b6d37173008a2e189@paul-moore.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit From: Paul Moore To: Roberto Sassu , viro@zeniv.linux.org.uk, brauner@kernel.org, chuck.lever@oracle.com, jlayton@kernel.org, neilb@suse.de, kolga@netapp.com, Dai.Ngo@oracle.com, tom@talpey.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, dhowells@redhat.com, jarkko@kernel.org, stephen.smalley.work@gmail.com, eparis@parisplace.org, casey@schaufler-ca.com, shuah@kernel.org, mic@digikod.net Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, Roberto Sassu , Stefan Berger Subject: Re: [PATCH v9 21/25] ima: Move IMA-Appraisal to LSM infrastructure References: <20240115181809.885385-22-roberto.sassu@huaweicloud.com> In-Reply-To: <20240115181809.885385-22-roberto.sassu@huaweicloud.com> On Jan 15, 2024 Roberto Sassu wrote: > > A few additional IMA hooks are needed to reset the cached appraisal > status, causing the file's integrity to be re-evaluated on next access. > Register these IMA-appraisal only functions separately from the rest of IMA > functions, as appraisal is a separate feature not necessarily enabled in > the kernel configuration. > > Reuse the same approach as for other IMA functions, move hardcoded calls > from various places in the kernel to the LSM infrastructure. Declare the > functions as static and register them as hook implementations in > init_ima_appraise_lsm(), called by init_ima_lsm(). > > Also move the inline function ima_inode_remove_acl() from the public ima.h > header to ima_appraise.c. > > Signed-off-by: Roberto Sassu > Reviewed-by: Stefan Berger > Reviewed-by: Mimi Zohar > Reviewed-by: Casey Schaufler > --- > fs/attr.c | 2 - > include/linux/ima.h | 55 --------------------------- > security/integrity/ima/ima.h | 5 +++ > security/integrity/ima/ima_appraise.c | 38 +++++++++++++----- > security/integrity/ima/ima_main.c | 1 + > security/security.c | 13 ------- > 6 files changed, 35 insertions(+), 79 deletions(-) Acked-by: Paul Moore -- paul-moore.com