Re: [PATCH v3 14/25] security: Introduce file_post_open hook
From: Mimi Zohar
Date: Thu Oct 12 2023 - 09:36:15 EST
On Thu, 2023-10-12 at 14:45 +0200, Roberto Sassu wrote:
> On Thu, 2023-10-12 at 08:36 -0400, Mimi Zohar wrote:
> > On Mon, 2023-09-04 at 15:34 +0200, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > >
> > > In preparation to move IMA and EVM to the LSM infrastructure, introduce the
> > > file_post_open hook. Also, export security_file_post_open() for NFS.
> > >
> > > It is useful for IMA to calculate the dhigest of the file content, and to
> > > decide based on that digest whether the file should be made accessible to
> > > the requesting process.
> >
> > Please remove "It is usefile for". Perhaps something along the lines:
> >
> >
> > Based on policy, IMA calculates the digest of the file content and
> > decides ...
>
> Ok.
>
> > >
> > > LSMs should use this hook instead of file_open, if they need to make their
> > > decision based on an opened file (for example by inspecting the file
> > > content). The file is not open yet in the file_open hook.
Needing to inspect the file contents is a good example.
>
> > The security hooks were originally defined for enforcing access
> > control. As a result the hooks were placed before the action. The
> > usage of the LSM hooks is not limited to just enforcing access control
> > these days. For IMA/EVM to become full LSMs additional hooks are
> > needed post action. Other LSMs, probably non-access control ones,
> > could similarly take some action post action, in this case successful
> > file open.
>
> I don't know, I would not exclude LSMs to enforce access control. The
> post action can be used to update the state, which can be used to check
> next accesses (exactly what happens for EVM).
>
> > Having to justify the new LSM post hooks in terms of the existing LSMs,
> > which enforce access control, is really annoying and makes no sense.
> > Please don't.
>
> Well, there is a relationship between the pre and post. But if you
> prefer, I remove this comparison.
My comments, above, were a result of the wording of the hook
definition, below.
> > > +/**
> > > + * security_file_post_open() - Recheck access to a file after it has been opened
> >
> > The LSM post hooks aren't needed to enforce access control. Probably
> > better to say something along the lines of "take some action after
> > successful file open".
> >
> > > + * @file: the file
> > > + * @mask: access mask
> > > + *
> > > + * Recheck access with mask after the file has been opened. The hook is useful
> > > + * for LSMs that require the file content to be available in order to make
> > > + * decisions.
> >
> > And reword the above accordingly.
> >
> > > + *
> > > + * Return: Returns 0 if permission is granted.
> > > + */
> > > +int security_file_post_open(struct file *file, int mask)
> > > +{
> > > + return call_int_hook(file_post_open, 0, file, mask);
> > > +}
> > > +EXPORT_SYMBOL_GPL(security_file_post_open);
> > > +
> > > /**
> > > * security_file_truncate() - Check if truncating a file is allowed
> > > * @file: file
> >
>