Nice! On 13/10/2021 13:01, Mimi Zohar wrote: > Extend the trusted_for syscall to call the newly defined > ima_trusted_for hook. > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > fs/open.c | 3 +++ > include/linux/ima.h | 9 +++++++++ > 2 files changed, 12 insertions(+) > > diff --git a/fs/open.c b/fs/open.c > index c79c138a638c..4d54e2a727e1 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage, > err = inode_permission(file_mnt_user_ns(f.file), inode, > mask | MAY_ACCESS); > > + if (!err) > + err = ima_trusted_for(f.file, usage); Could you please implement a new LSM hook instead? Other LSMs may want to use this information as well.
