security: Introduce path_post_mknod hook

In preparation for moving IMA and EVM to the LSM infrastructure, introduce
the path_post_mknod hook.

IMA-appraisal requires all existing files in policy to have a file
hash/signature stored in security.ima. An exception is made for empty files
created by mknod, by tagging them as new files.

LSMs could also take some action after files are created.

The new hook cannot return an error and cannot cause the operation to be
reverted.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/fs/namei.c b/fs/namei.c
index ef867f1d67049b8b1b5016f2d6a101cc70be6f6e..9280aa5d60a71c035c676f77997605eb2d85d43b 100644 (file)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4063,6 +4063,11 @@ retry:
                                          dentry, mode, 0);
                        break;
        }
+
+       if (error)
+               goto out2;
+
+       security_path_post_mknod(idmap, dentry);
 out2:
        done_path_create(&path, dentry);
        if (retry_estale(error, lookup_flags)) {

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 7f9e9240606edf5ed690f31dcc22e4ff233e0ace..dba5d8204dc5d85fdfc7c68162efb59903989ffc 100644 (file)
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -94,6 +94,8 @@ LSM_HOOK(int, 0, path_mkdir, const struct path *dir, struct dentry *dentry,
 LSM_HOOK(int, 0, path_rmdir, const struct path *dir, struct dentry *dentry)
 LSM_HOOK(int, 0, path_mknod, const struct path *dir, struct dentry *dentry,
         umode_t mode, unsigned int dev)
+LSM_HOOK(void, LSM_RET_VOID, path_post_mknod, struct mnt_idmap *idmap,
+        struct dentry *dentry)
 LSM_HOOK(int, 0, path_truncate, const struct path *path)
 LSM_HOOK(int, 0, path_symlink, const struct path *dir, struct dentry *dentry,
         const char *old_name)

diff --git a/include/linux/security.h b/include/linux/security.h
index 2997348afcb7068daec5d3786946e34328779909..977dd9f7f51aaa3c2d3252ff9167a89aafca4a2b 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1893,6 +1893,7 @@ int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t m
 int security_path_rmdir(const struct path *dir, struct dentry *dentry);
 int security_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode,
                        unsigned int dev);
+void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry);
 int security_path_truncate(const struct path *path);
 int security_path_symlink(const struct path *dir, struct dentry *dentry,
                          const char *old_name);
@@ -1927,6 +1928,10 @@ static inline int security_path_mknod(const struct path *dir, struct dentry *den
        return 0;
 }
 
+static inline void security_path_post_mknod(struct mnt_idmap *idmap,
+                                           struct dentry *dentry)
+{ }
+
 static inline int security_path_truncate(const struct path *path)
 {
        return 0;

diff --git a/security/security.c b/security/security.c
index 99004c44ce551fd8cda947b1984414b8cb1ca062..ee4582e1d4d073e942f166dd5927ce41efdcf5af 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -1800,6 +1800,20 @@ int security_path_mknod(const struct path *dir, struct dentry *dentry,
 }
 EXPORT_SYMBOL(security_path_mknod);
 
+/**
+ * security_path_post_mknod() - Update inode security field after file creation
+ * @idmap: idmap of the mount
+ * @dentry: new file
+ *
+ * Update inode security field after a file has been created.
+ */
+void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry)
+{
+       if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
+               return;
+       call_void_hook(path_post_mknod, idmap, dentry);
+}
+
 /**
  * security_path_mkdir() - Check if creating a new directory is allowed
  * @dir: parent directory