[CC'ing Casey] On Wed, 2021-10-13 at 17:26 +0200, Mickaël Salaün wrote: > Nice! > > On 13/10/2021 13:01, Mimi Zohar wrote: > > Extend the trusted_for syscall to call the newly defined > > ima_trusted_for hook. > > > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > --- > > fs/open.c | 3 +++ > > include/linux/ima.h | 9 +++++++++ > > 2 files changed, 12 insertions(+) > > > > diff --git a/fs/open.c b/fs/open.c > > index c79c138a638c..4d54e2a727e1 100644 > > --- a/fs/open.c > > +++ b/fs/open.c > > @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage, > > err = inode_permission(file_mnt_user_ns(f.file), inode, > > mask | MAY_ACCESS); > > > > + if (!err) > > + err = ima_trusted_for(f.file, usage); > > Could you please implement a new LSM hook instead? Other LSMs may want > to use this information as well. Casey normally pushes back on my defining a new LSM hook, when IMA is the only user. If any of the LSM maintainers are planning on defining this hook, please chime in. thanks, Mimi
