On Thu, 2023-10-12 at 09:35 -0400, Mimi Zohar wrote: > On Thu, 2023-10-12 at 14:45 +0200, Roberto Sassu wrote: > > On Thu, 2023-10-12 at 08:36 -0400, Mimi Zohar wrote: > > > On Mon, 2023-09-04 at 15:34 +0200, Roberto Sassu wrote: > > > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > > > > > > > In preparation to move IMA and EVM to the LSM infrastructure, introduce the > > > > file_post_open hook. Also, export security_file_post_open() for NFS. > > > > > > > > It is useful for IMA to calculate the dhigest of the file content, and to > > > > decide based on that digest whether the file should be made accessible to > > > > the requesting process. > > > > > > Please remove "It is usefile for". Perhaps something along the lines: > > > > > > > > > Based on policy, IMA calculates the digest of the file content and > > > decides ... > > > > Ok. > > > > > > > > > > LSMs should use this hook instead of file_open, if they need to make their > > > > decision based on an opened file (for example by inspecting the file > > > > content). The file is not open yet in the file_open hook. > > Needing to inspect the file contents is a good example. > > > > > > The security hooks were originally defined for enforcing access > > > control. As a result the hooks were placed before the action. The > > > usage of the LSM hooks is not limited to just enforcing access control > > > these days. For IMA/EVM to become full LSMs additional hooks are > > > needed post action. Other LSMs, probably non-access control ones, > > > could similarly take some action post action, in this case successful > > > file open. > > > > I don't know, I would not exclude LSMs to enforce access control. The > > post action can be used to update the state, which can be used to check > > next accesses (exactly what happens for EVM). > > > > > Having to justify the new LSM post hooks in terms of the existing LSMs, > > > which enforce access control, is really annoying and makes no sense. > > > Please don't. > > > > Well, there is a relationship between the pre and post. But if you > > prefer, I remove this comparison. > > My comments, above, were a result of the wording of the hook > definition, below. Oh, ok. Actually there is a fundamental difference between this post and the other post: this one can be reverted and can be effectively used for access control. Thanks Roberto > > > > +/** > > > > + * security_file_post_open() - Recheck access to a file after it has been opened > > > > > > The LSM post hooks aren't needed to enforce access control. Probably > > > better to say something along the lines of "take some action after > > > successful file open". > > > > > > > + * @file: the file > > > > + * @mask: access mask > > > > + * > > > > + * Recheck access with mask after the file has been opened. The hook is useful > > > > + * for LSMs that require the file content to be available in order to make > > > > + * decisions. > > > > > > And reword the above accordingly. > > > > > > > + * > > > > + * Return: Returns 0 if permission is granted. > > > > + */ > > > > +int security_file_post_open(struct file *file, int mask) > > > > +{ > > > > + return call_int_hook(file_post_open, 0, file, mask); > > > > +} > > > > +EXPORT_SYMBOL_GPL(security_file_post_open); > > > > + > > > > /** > > > > * security_file_truncate() - Check if truncating a file is allowed > > > > * @file: file > > > > > >