On Jan 15, 2024 Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> wrote: > > In preparation for moving IMA and EVM to the LSM infrastructure, introduce > the file_release hook. > > IMA calculates at file close the new digest of the file content and writes > it to security.ima, so that appraisal at next file access succeeds. > > An LSM could implement an exclusive access scheme for files, only allowing > access to files that have no references. Let's drop the above sentence as it is is a little vague and is causing some concern with the VFS folks. While I want to see the hooks explained and documented in the code, I've never been a big fan of speculating about potential future uses of the hook, that's dangerous IMO. Otherwise this looks good. Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> > The new hook cannot return an error and cannot cause the operation to be > reverted. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > --- > fs/file_table.c | 1 + > include/linux/lsm_hook_defs.h | 1 + > include/linux/security.h | 4 ++++ > security/security.c | 11 +++++++++++ > 4 files changed, 17 insertions(+) -- paul-moore.com
