ima: add inode_post_setattr call

Changing an inode's metadata may result in our not needing to appraise the file. In such cases, we must remove 'security.ima'. Changelog v1: - use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured Signed-off-by: N Mimi Zohar <zohar@us.ibm.com> Acked-by: N Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: N Dmitry Kasatkin <dmitry.kasatkin@intel.com>

ima: add inode_post_setattr call
Changing an inode's metadata may result in our not needing to appraise the file. In such cases, we must remove 'security.ima'. Changelog v1: - use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured Signed-off-by: N Mimi Zohar <zohar@us.ibm.com> Acked-by: N Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: N Dmitry Kasatkin <dmitry.kasatkin@intel.com>
9957a504 · Mimi Zohar · a10bf26b · 9957a504 · 9957a504
隐藏空白更改
内联并排

Showing with 12 addition and 0 deletion

fs/attr.c fs/attr.c +2 -0

include/linux/ima.h include/linux/ima.h +10 -0

未找到文件。
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -14,6 +14,7 @@
 #include <linux/fcntl.h>
 #include <linux/security.h>
 #include <linux/evm.h>
+#include <linux/ima.h>

 /**
 * inode_change_ok - check if attribute changes to an inode are allowed
@@ -247,6 +248,7 @@ int notify_change(struct dentry * dentry, struct iattr * attr)

 	if (!error) {
 		fsnotify_change(dentry, ia_valid);
+		ima_inode_post_setattr(dentry);
 		evm_inode_post_setattr(dentry, ia_valid);
 	}


--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -39,5 +39,15 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
 {
 	return 0;
 }
+
 #endif /* CONFIG_IMA_H */
+
+#ifdef CONFIG_IMA_APPRAISE
+extern void ima_inode_post_setattr(struct dentry *dentry);
+#else
+static inline void ima_inode_post_setattr(struct dentry *dentry)
+{
+	return;
+}
+#endif /* CONFIG_IMA_APPRAISE_H */
 #endif /* _LINUX_IMA_H */