Message ID | 20231107134012.682009-8-roberto.sassu@huaweicloud.com (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Paul Moore |
Headers | show |
Series | security: Move IMA and EVM to the LSM infrastructure | expand |
On 11/7/2023 5:39 AM, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > Change evm_inode_setxattr() definition, so that it can be registered as > implementation of the inode_setxattr hook. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> > --- > include/linux/evm.h | 4 ++-- > security/integrity/evm/evm_main.c | 3 ++- > security/security.c | 2 +- > 3 files changed, 5 insertions(+), 4 deletions(-) > > diff --git a/include/linux/evm.h b/include/linux/evm.h > index cf976d8dbd7a..7c6a74dbc093 100644 > --- a/include/linux/evm.h > +++ b/include/linux/evm.h > @@ -27,7 +27,7 @@ extern void evm_inode_post_setattr(struct mnt_idmap *idmap, > struct dentry *dentry, int ia_valid); > extern int evm_inode_setxattr(struct mnt_idmap *idmap, > struct dentry *dentry, const char *name, > - const void *value, size_t size); > + const void *value, size_t size, int flags); > extern void evm_inode_post_setxattr(struct dentry *dentry, > const char *xattr_name, > const void *xattr_value, > @@ -106,7 +106,7 @@ static inline void evm_inode_post_setattr(struct mnt_idmap *idmap, > > static inline int evm_inode_setxattr(struct mnt_idmap *idmap, > struct dentry *dentry, const char *name, > - const void *value, size_t size) > + const void *value, size_t size, int flags) > { > return 0; > } > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c > index d452d469c503..7fc083d53fdf 100644 > --- a/security/integrity/evm/evm_main.c > +++ b/security/integrity/evm/evm_main.c > @@ -558,6 +558,7 @@ static int evm_protect_xattr(struct mnt_idmap *idmap, > * @xattr_name: pointer to the affected extended attribute name > * @xattr_value: pointer to the new extended attribute value > * @xattr_value_len: pointer to the new extended attribute value length > + * @flags: flags to pass into filesystem operations > * > * Before allowing the 'security.evm' protected xattr to be updated, > * verify the existing value is valid. As only the kernel should have > @@ -567,7 +568,7 @@ static int evm_protect_xattr(struct mnt_idmap *idmap, > */ > int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, > const char *xattr_name, const void *xattr_value, > - size_t xattr_value_len) > + size_t xattr_value_len, int flags) > { > const struct evm_ima_xattr_data *xattr_data = xattr_value; > > diff --git a/security/security.c b/security/security.c > index 358ec01a5492..ae3625198c9f 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2272,7 +2272,7 @@ int security_inode_setxattr(struct mnt_idmap *idmap, > ret = ima_inode_setxattr(idmap, dentry, name, value, size, flags); > if (ret) > return ret; > - return evm_inode_setxattr(idmap, dentry, name, value, size); > + return evm_inode_setxattr(idmap, dentry, name, value, size, flags); > } > > /**
diff --git a/include/linux/evm.h b/include/linux/evm.h index cf976d8dbd7a..7c6a74dbc093 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -27,7 +27,7 @@ extern void evm_inode_post_setattr(struct mnt_idmap *idmap, struct dentry *dentry, int ia_valid); extern int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *name, - const void *value, size_t size); + const void *value, size_t size, int flags); extern void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, @@ -106,7 +106,7 @@ static inline void evm_inode_post_setattr(struct mnt_idmap *idmap, static inline int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *name, - const void *value, size_t size) + const void *value, size_t size, int flags) { return 0; } diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index d452d469c503..7fc083d53fdf 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -558,6 +558,7 @@ static int evm_protect_xattr(struct mnt_idmap *idmap, * @xattr_name: pointer to the affected extended attribute name * @xattr_value: pointer to the new extended attribute value * @xattr_value_len: pointer to the new extended attribute value length + * @flags: flags to pass into filesystem operations * * Before allowing the 'security.evm' protected xattr to be updated, * verify the existing value is valid. As only the kernel should have @@ -567,7 +568,7 @@ static int evm_protect_xattr(struct mnt_idmap *idmap, */ int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *xattr_name, const void *xattr_value, - size_t xattr_value_len) + size_t xattr_value_len, int flags) { const struct evm_ima_xattr_data *xattr_data = xattr_value; diff --git a/security/security.c b/security/security.c index 358ec01a5492..ae3625198c9f 100644 --- a/security/security.c +++ b/security/security.c @@ -2272,7 +2272,7 @@ int security_inode_setxattr(struct mnt_idmap *idmap, ret = ima_inode_setxattr(idmap, dentry, name, value, size, flags); if (ret) return ret; - return evm_inode_setxattr(idmap, dentry, name, value, size); + return evm_inode_setxattr(idmap, dentry, name, value, size, flags); } /**