Extend the trusted_for syscall to call the newly defined
ima_trusted_for hook.
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
fs/open.c | 3 +++
include/linux/ima.h | 9 +++++++++
2 files changed, 12 insertions(+)
diff --git a/fs/open.c b/fs/open.c
index c79c138a638c..4d54e2a727e1 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
err = inode_permission(file_mnt_user_ns(f.file), inode,
mask | MAY_ACCESS);
+ if (!err)
+ err = ima_trusted_for(f.file, usage);
+
out_fd:
fdput(f);
return err;
diff --git a/include/linux/ima.h b/include/linux/ima.h
index b6ab66a546ae..603df9932817 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -12,12 +12,15 @@
#include <linux/security.h>
#include <linux/kexec.h>
#include <crypto/hash_info.h>
+#include <uapi/linux/trusted-for.h>
struct linux_binprm;
#ifdef CONFIG_IMA
extern enum hash_algo ima_get_current_hash_algo(void);
extern int ima_bprm_check(struct linux_binprm *bprm);
extern int ima_file_check(struct file *file, int mask);
+extern int ima_trusted_for(struct file *file,
+ const enum trusted_for_usage usage);
extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
struct inode *inode);
extern void ima_file_free(struct file *file);
@@ -81,6 +84,12 @@ static inline int ima_file_check(struct file *file, int mask)
return 0;
}
+static inline int ima_trusted_for(struct file *file,
+ const enum trusted_for_usage usage)
+{
+ return 0;
+}
+
static inline void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
struct inode *inode)
{
--
2.27.0
