Re: [PATCH v3 03/25] ima: Align ima_post_create_tmpfile() definition with LSM infrastructure

[Stefan Berger <stefanb@xxxxxxxxxxxxx>]

On 9/4/23 09:33, Roberto Sassu wrote:

> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> Change ima_post_create_tmpfile() definition, so that it can be registered
> as implementation of the post_create_tmpfile hook.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---
>   fs/namei.c                        | 2 +-
>   include/linux/ima.h               | 7 +++++--
>   security/integrity/ima/ima_main.c | 8 ++++++--
>   3 files changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index c5e96f716f98..1f5ec71360de 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -3698,7 +3698,7 @@ static int vfs_tmpfile(struct mnt_idmap *idmap,
>   		inode->i_state |= I_LINKABLE;
>   		spin_unlock(&inode->i_lock);
>   	}
> -	ima_post_create_tmpfile(idmap, inode);
> +	ima_post_create_tmpfile(idmap, dir, file, mode);
>   	return 0;
>   }
>   
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 179ce52013b2..893c3b98b4d0 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -19,7 +19,8 @@ extern enum hash_algo ima_get_current_hash_algo(void);
>   extern int ima_bprm_check(struct linux_binprm *bprm);
>   extern int ima_file_check(struct file *file, int mask);
>   extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> -				    struct inode *inode);
> +				    struct inode *dir, struct file *file,
> +				    umode_t mode);
>   extern void ima_file_free(struct file *file);
>   extern int ima_file_mmap(struct file *file, unsigned long reqprot,
>   			 unsigned long prot, unsigned long flags);
> @@ -69,7 +70,9 @@ static inline int ima_file_check(struct file *file, int mask)
>   }
>   
>   static inline void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> -					   struct inode *inode)
> +					   struct inode *dir,
> +					   struct file *file,
> +					   umode_t mode)
>   {
>   }
>   
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 76eba92d7f10..52e742d32f4b 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -663,16 +663,20 @@ EXPORT_SYMBOL_GPL(ima_inode_hash);
>   /**
>    * ima_post_create_tmpfile - mark newly created tmpfile as new
>    * @idmap: idmap of the mount the inode was found from
> - * @inode: inode of the newly created tmpfile
> + * @dir: inode structure of the parent of the new file
> + * @file: file descriptor of the new file
> + * @mode: mode of the new file
>    *
>    * No measuring, appraising or auditing of newly created tmpfiles is needed.
>    * Skip calling process_measurement(), but indicate which newly, created
>    * tmpfiles are in policy.
>    */
>   void ima_post_create_tmpfile(struct mnt_idmap *idmap,
> -			     struct inode *inode)
> +			     struct inode *dir, struct file *file,
> +			     umode_t mode)
>   {
>   	struct integrity_iint_cache *iint;
> +	struct inode *inode = file_inode(file);
>   	int must_appraise;
>   
>   	if (!ima_policy_flag || !S_ISREG(inode->i_mode))


Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>