Re: [PATCH v3 14/25] security: Introduce file_post_open hook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2023-10-12 at 09:35 -0400, Mimi Zohar wrote:
> On Thu, 2023-10-12 at 14:45 +0200, Roberto Sassu wrote:
> > On Thu, 2023-10-12 at 08:36 -0400, Mimi Zohar wrote:
> > > On Mon, 2023-09-04 at 15:34 +0200, Roberto Sassu wrote:
> > > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > > > 
> > > > In preparation to move IMA and EVM to the LSM infrastructure, introduce the
> > > > file_post_open hook. Also, export security_file_post_open() for NFS.
> > > > 
> > > > It is useful for IMA to calculate the dhigest of the file content, and to
> > > > decide based on that digest whether the file should be made accessible to
> > > > the requesting process.
> > > 
> > > Please remove "It is usefile for".   Perhaps something along the lines:
> > > 
> > > 
> > > Based on policy, IMA calculates the digest of the file content and
> > > decides ...
> > 
> > Ok.
> > 
> > > > 
> > > > LSMs should use this hook instead of file_open, if they need to make their
> > > > decision based on an opened file (for example by inspecting the file
> > > > content). The file is not open yet in the file_open hook.
> 
> Needing to inspect the file contents is a good example.
> 
> >  
> > > The security hooks were originally defined for enforcing access
> > > control.  As a result the hooks were placed before the action.  The
> > > usage of the LSM hooks is not limited to just enforcing access control
> > > these days.  For IMA/EVM to become full LSMs additional hooks are
> > > needed post action.  Other LSMs, probably non-access control ones,
> > > could similarly take some action post action, in this case successful
> > > file open.
> > 
> > I don't know, I would not exclude LSMs to enforce access control. The
> > post action can be used to update the state, which can be used to check
> > next accesses (exactly what happens for EVM).
> > 
> > > Having to justify the new LSM post hooks in terms of the existing LSMs,
> > > which enforce access control, is really annoying and makes no sense. 
> > > Please don't.
> > 
> > Well, there is a relationship between the pre and post. But if you
> > prefer, I remove this comparison.
> 
> My comments, above, were a result of the wording of the hook
> definition, below.

Oh, ok. Actually there is a fundamental difference between this post
and the other post: this one can be reverted and can be effectively
used for access control.

Thanks

Roberto

> > > > +/**
> > > > + * security_file_post_open() - Recheck access to a file after it has been opened
> > > 
> > > The LSM post hooks aren't needed to enforce access control.   Probably
> > > better to say something along the lines of "take some action after
> > > successful file open".
> > > 
> > > > + * @file: the file
> > > > + * @mask: access mask
> > > > + *
> > > > + * Recheck access with mask after the file has been opened. The hook is useful
> > > > + * for LSMs that require the file content to be available in order to make
> > > > + * decisions.
> > > 
> > > And reword the above accordingly.
> > > 
> > > > + *
> > > > + * Return: Returns 0 if permission is granted.
> > > > + */
> > > > +int security_file_post_open(struct file *file, int mask)
> > > > +{
> > > > +	return call_int_hook(file_post_open, 0, file, mask);
> > > > +}
> > > > +EXPORT_SYMBOL_GPL(security_file_post_open);
> > > > +
> > > >  /**
> > > >   * security_file_truncate() - Check if truncating a file is allowed
> > > >   * @file: file
> > > 
> > 
> 




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux