diff options
| author | Andrey Albershteyn <aalbersh@redhat.com> | 2025-06-30 18:20:12 +0200 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2025-07-01 22:44:29 +0200 |
| commit | defdd02d783c6fa22d0005bdc238ccd9174faf20 (patch) | |
| tree | 63a3f75f540e7b98e0d2d9ef1566be4f6f41d60b /security/security.c | |
| parent | 2f952c9e8fe13c6ee15c05189f1f87c1a70b866c (diff) | |
| download | linux-defdd02d783c6fa22d0005bdc238ccd9174faf20.tar.gz | |
lsm: introduce new hooks for setting/getting inode fsxattr
Introduce new hooks for setting and getting filesystem extended
attributes on inode (FS_IOC_FSGETXATTR).
Cc: selinux@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Andrey Albershteyn <aalbersh@kernel.org>
Link: https://lore.kernel.org/20250630-xattrat-syscall-v6-2-c4e3bc35227b@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c index 596d4181857735..711b4de40b8d36 100644 --- a/security/security.c +++ b/security/security.c @@ -2623,6 +2623,36 @@ void security_inode_post_removexattr(struct dentry *dentry, const char *name) } /** + * security_inode_file_setattr() - check if setting fsxattr is allowed + * @dentry: file to set filesystem extended attributes on + * @fa: extended attributes to set on the inode + * + * Called when file_setattr() syscall or FS_IOC_FSSETXATTR ioctl() is called on + * inode + * + * Return: Returns 0 if permission is granted. + */ +int security_inode_file_setattr(struct dentry *dentry, struct fileattr *fa) +{ + return call_int_hook(inode_file_setattr, dentry, fa); +} + +/** + * security_inode_file_getattr() - check if retrieving fsxattr is allowed + * @dentry: file to retrieve filesystem extended attributes from + * @fa: extended attributes to get + * + * Called when file_getattr() syscall or FS_IOC_FSGETXATTR ioctl() is called on + * inode + * + * Return: Returns 0 if permission is granted. + */ +int security_inode_file_getattr(struct dentry *dentry, struct fileattr *fa) +{ + return call_int_hook(inode_file_getattr, dentry, fa); +} + +/** * security_inode_need_killpriv() - Check if security_inode_killpriv() required * @dentry: associated dentry * |