On Thu, 2023-10-12 at 09:35 -0400, Mimi Zohar wrote:
> On Thu, 2023-10-12 at 14:45 +0200, Roberto Sassu wrote:
> > On Thu, 2023-10-12 at 08:36 -0400, Mimi Zohar wrote:
> > > On Mon, 2023-09-04 at 15:34 +0200, Roberto Sassu wrote:
> > > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > > >
> > > > In preparation to move IMA and EVM to the LSM infrastructure, introduce the
> > > > file_post_open hook. Also, export security_file_post_open() for NFS.
> > > >
> > > > It is useful for IMA to calculate the dhigest of the file content, and to
> > > > decide based on that digest whether the file should be made accessible to
> > > > the requesting process.
> > >
> > > Please remove "It is usefile for". Perhaps something along the lines:
> > >
> > >
> > > Based on policy, IMA calculates the digest of the file content and
> > > decides ...
> >
> > Ok.
> >
> > > >
> > > > LSMs should use this hook instead of file_open, if they need to make their
> > > > decision based on an opened file (for example by inspecting the file
> > > > content). The file is not open yet in the file_open hook.
>
> Needing to inspect the file contents is a good example.
>
> >
> > > The security hooks were originally defined for enforcing access
> > > control. As a result the hooks were placed before the action. The
> > > usage of the LSM hooks is not limited to just enforcing access control
> > > these days. For IMA/EVM to become full LSMs additional hooks are
> > > needed post action. Other LSMs, probably non-access control ones,
> > > could similarly take some action post action, in this case successful
> > > file open.
> >
> > I don't know, I would not exclude LSMs to enforce access control. The
> > post action can be used to update the state, which can be used to check
> > next accesses (exactly what happens for EVM).
> >
> > > Having to justify the new LSM post hooks in terms of the existing LSMs,
> > > which enforce access control, is really annoying and makes no sense.
> > > Please don't.
> >
> > Well, there is a relationship between the pre and post. But if you
> > prefer, I remove this comparison.
>
> My comments, above, were a result of the wording of the hook
> definition, below.
Oh, ok. Actually there is a fundamental difference between this post
and the other post: this one can be reverted and can be effectively
used for access control.
Thanks
Roberto
> > > > +/**
> > > > + * security_file_post_open() - Recheck access to a file after it has been opened
> > >
> > > The LSM post hooks aren't needed to enforce access control. Probably
> > > better to say something along the lines of "take some action after
> > > successful file open".
> > >
> > > > + * @file: the file
> > > > + * @mask: access mask
> > > > + *
> > > > + * Recheck access with mask after the file has been opened. The hook is useful
> > > > + * for LSMs that require the file content to be available in order to make
> > > > + * decisions.
> > >
> > > And reword the above accordingly.
> > >
> > > > + *
> > > > + * Return: Returns 0 if permission is granted.
> > > > + */
> > > > +int security_file_post_open(struct file *file, int mask)
> > > > +{
> > > > + return call_int_hook(file_post_open, 0, file, mask);
> > > > +}
> > > > +EXPORT_SYMBOL_GPL(security_file_post_open);
> > > > +
> > > > /**
> > > > * security_file_truncate() - Check if truncating a file is allowed
> > > > * @file: file
> > >
> >
>
