LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: "Mimi Zohar" <zohar@linux.ibm.com>, "Mickaël Salaün" <mic@digikod.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA
Date: Wed, 13 Oct 2021 10:24:22 -0700 [thread overview]
Message-ID: <4df99ebd-ca38-a829-b437-bd42dc4b6b1a@schaufler-ca.com> (raw)
In-Reply-To: <e1c2d34acb37d85e94af15ca1edd162e1e7f9a2a.camel@linux.ibm.com>
On 10/13/2021 8:45 AM, Mimi Zohar wrote:
> [CC'ing Casey]
>
> On Wed, 2021-10-13 at 17:26 +0200, Mickaël Salaün wrote:
>> Nice!
>>
>> On 13/10/2021 13:01, Mimi Zohar wrote:
>>> Extend the trusted_for syscall to call the newly defined
>>> ima_trusted_for hook.
>>>
>>> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
>>> ---
>>> fs/open.c | 3 +++
>>> include/linux/ima.h | 9 +++++++++
>>> 2 files changed, 12 insertions(+)
>>>
>>> diff --git a/fs/open.c b/fs/open.c
>>> index c79c138a638c..4d54e2a727e1 100644
>>> --- a/fs/open.c
>>> +++ b/fs/open.c
>>> @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
>>> err = inode_permission(file_mnt_user_ns(f.file), inode,
>>> mask | MAY_ACCESS);
>>>
>>> + if (!err)
>>> + err = ima_trusted_for(f.file, usage);
>> Could you please implement a new LSM hook instead? Other LSMs may want
>> to use this information as well.
> Casey normally pushes back on my defining a new LSM hook, when IMA is
> the only user. If any of the LSM maintainers are planning on defining
> this hook, please chime in.
That's correct. Adding the overhead of checking for security module hooks
when we know there aren't any does nothing to dispel the perception that
security developers don't care about performance.
> thanks,
>
> Mimi
>
next prev parent reply other threads:[~2021-10-13 17:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-13 11:01 [PATCH 1/2] ima: define ima_trusted_for hook Mimi Zohar
2021-10-13 11:01 ` [PATCH 2/2] fs: extend the trusted_for syscall to call IMA Mimi Zohar
2021-10-13 15:26 ` Mickaël Salaün
2021-10-13 15:45 ` Mimi Zohar
2021-10-13 17:24 ` Casey Schaufler [this message]
2021-10-13 14:34 ` [PATCH 1/2] ima: define ima_trusted_for hook Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4df99ebd-ca38-a829-b437-bd42dc4b6b1a@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=akpm@linux-foundation.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
--subject='Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).