Re: [PATCH v3 02/25] ima: Align ima_post_path_mknod() definition with LSM infrastructure
From: Roberto Sassu
Date: Fri Oct 13 2023 - 03:39:08 EST
On Thu, 2023-10-12 at 13:10 -0400, Mimi Zohar wrote:
> > > > > > We need to make sure that ima_post_path_mknod() has the
> > > > > > same parameters
> > > > > > as the LSM hook at the time we register it to the LSM
> > > > > > infrastructure.
> > > > >
> > > > > I'm trying to understand why the pre hook parameters and the
> > > > > missing
> > > > > IMA parameter are used, as opposed to just defining the new
> > > > > post_path_mknod hook like IMA.
> > > >
> > > > As an empyrical rule, I pass the same parameters as the
> > > > corresponding
> > > > pre hook (plus idmap, in this case). This is similar to the
> > > > inode_setxattr hook. But I can be wrong, if desired I can
> > > > reduce.
> > >
> > > The inode_setxattr hook change example is legitimate, as EVM
> > > includes
> > > idmap, while IMA doesn't.
> > >
> > > Unless there is a good reason for the additional parameters, I'm
> > > not
> > > sure that adding them makes sense. Not modifying the parameter
> > > list
> > > will reduce the size of this patch set.
> >
> > The hook is going to be used by any LSM. Without knowing all the
> > possible use cases, maybe it is better to include more information
> > now,
> > than modifying the hook and respective implementations later.
> >
> > (again, no problem to reduce)
>
> Unless there is a known use case for a specific parameter, please
> minimize them. Additional parameters can be added later as needed.
Ok. I did the same for inode_post_create_tmpfile.
Thanks
Roberto