diff mbox series

[v5,07/23] evm: Align evm_inode_setxattr() definition with LSM infrastructure

Message ID 20231107134012.682009-8-roberto.sassu@huaweicloud.com (mailing list archive)
State Changes Requested
Delegated to: Paul Moore
Headers show
Series security: Move IMA and EVM to the LSM infrastructure | expand

Commit Message

Roberto Sassu Nov. 7, 2023, 1:39 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>

Change evm_inode_setxattr() definition, so that it can be registered as
implementation of the inode_setxattr hook.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 include/linux/evm.h               | 4 ++--
 security/integrity/evm/evm_main.c | 3 ++-
 security/security.c               | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

Comments

Casey Schaufler Nov. 7, 2023, 5:27 p.m. UTC | #1
On 11/7/2023 5:39 AM, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> Change evm_inode_setxattr() definition, so that it can be registered as
> implementation of the inode_setxattr hook.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>


> ---
>  include/linux/evm.h               | 4 ++--
>  security/integrity/evm/evm_main.c | 3 ++-
>  security/security.c               | 2 +-
>  3 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/evm.h b/include/linux/evm.h
> index cf976d8dbd7a..7c6a74dbc093 100644
> --- a/include/linux/evm.h
> +++ b/include/linux/evm.h
> @@ -27,7 +27,7 @@ extern void evm_inode_post_setattr(struct mnt_idmap *idmap,
>  				   struct dentry *dentry, int ia_valid);
>  extern int evm_inode_setxattr(struct mnt_idmap *idmap,
>  			      struct dentry *dentry, const char *name,
> -			      const void *value, size_t size);
> +			      const void *value, size_t size, int flags);
>  extern void evm_inode_post_setxattr(struct dentry *dentry,
>  				    const char *xattr_name,
>  				    const void *xattr_value,
> @@ -106,7 +106,7 @@ static inline void evm_inode_post_setattr(struct mnt_idmap *idmap,
>  
>  static inline int evm_inode_setxattr(struct mnt_idmap *idmap,
>  				     struct dentry *dentry, const char *name,
> -				     const void *value, size_t size)
> +				     const void *value, size_t size, int flags)
>  {
>  	return 0;
>  }
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index d452d469c503..7fc083d53fdf 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -558,6 +558,7 @@ static int evm_protect_xattr(struct mnt_idmap *idmap,
>   * @xattr_name: pointer to the affected extended attribute name
>   * @xattr_value: pointer to the new extended attribute value
>   * @xattr_value_len: pointer to the new extended attribute value length
> + * @flags: flags to pass into filesystem operations
>   *
>   * Before allowing the 'security.evm' protected xattr to be updated,
>   * verify the existing value is valid.  As only the kernel should have
> @@ -567,7 +568,7 @@ static int evm_protect_xattr(struct mnt_idmap *idmap,
>   */
>  int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
>  		       const char *xattr_name, const void *xattr_value,
> -		       size_t xattr_value_len)
> +		       size_t xattr_value_len, int flags)
>  {
>  	const struct evm_ima_xattr_data *xattr_data = xattr_value;
>  
> diff --git a/security/security.c b/security/security.c
> index 358ec01a5492..ae3625198c9f 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2272,7 +2272,7 @@ int security_inode_setxattr(struct mnt_idmap *idmap,
>  	ret = ima_inode_setxattr(idmap, dentry, name, value, size, flags);
>  	if (ret)
>  		return ret;
> -	return evm_inode_setxattr(idmap, dentry, name, value, size);
> +	return evm_inode_setxattr(idmap, dentry, name, value, size, flags);
>  }
>  
>  /**
diff mbox series

Patch

diff --git a/include/linux/evm.h b/include/linux/evm.h
index cf976d8dbd7a..7c6a74dbc093 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -27,7 +27,7 @@  extern void evm_inode_post_setattr(struct mnt_idmap *idmap,
 				   struct dentry *dentry, int ia_valid);
 extern int evm_inode_setxattr(struct mnt_idmap *idmap,
 			      struct dentry *dentry, const char *name,
-			      const void *value, size_t size);
+			      const void *value, size_t size, int flags);
 extern void evm_inode_post_setxattr(struct dentry *dentry,
 				    const char *xattr_name,
 				    const void *xattr_value,
@@ -106,7 +106,7 @@  static inline void evm_inode_post_setattr(struct mnt_idmap *idmap,
 
 static inline int evm_inode_setxattr(struct mnt_idmap *idmap,
 				     struct dentry *dentry, const char *name,
-				     const void *value, size_t size)
+				     const void *value, size_t size, int flags)
 {
 	return 0;
 }
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index d452d469c503..7fc083d53fdf 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -558,6 +558,7 @@  static int evm_protect_xattr(struct mnt_idmap *idmap,
  * @xattr_name: pointer to the affected extended attribute name
  * @xattr_value: pointer to the new extended attribute value
  * @xattr_value_len: pointer to the new extended attribute value length
+ * @flags: flags to pass into filesystem operations
  *
  * Before allowing the 'security.evm' protected xattr to be updated,
  * verify the existing value is valid.  As only the kernel should have
@@ -567,7 +568,7 @@  static int evm_protect_xattr(struct mnt_idmap *idmap,
  */
 int evm_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
 		       const char *xattr_name, const void *xattr_value,
-		       size_t xattr_value_len)
+		       size_t xattr_value_len, int flags)
 {
 	const struct evm_ima_xattr_data *xattr_data = xattr_value;
 
diff --git a/security/security.c b/security/security.c
index 358ec01a5492..ae3625198c9f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2272,7 +2272,7 @@  int security_inode_setxattr(struct mnt_idmap *idmap,
 	ret = ima_inode_setxattr(idmap, dentry, name, value, size, flags);
 	if (ret)
 		return ret;
-	return evm_inode_setxattr(idmap, dentry, name, value, size);
+	return evm_inode_setxattr(idmap, dentry, name, value, size, flags);
 }
 
 /**