| Message ID | 20240221-idmap-fscap-refactor-v2-15-3039364623bd@kernel.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-75542-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:693c:2685:b0:108:e6aa:91d0 with SMTP id
mn5csp1313192dyc;
Wed, 21 Feb 2024 13:42:13 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCVkmNdWpZ7uGC6//8jVnreog2LY33rFAk/yZPIv6kVVBPEpSnR3oFkpcH237dvk+zy9hou3AYCC/hjCDHayVQhoFg/Kww==
X-Google-Smtp-Source:
AGHT+IFvbLG5Nmv5n+dxffGrOVLO8O2W7W17Z3ZlhE7PLwajGnfwGzzOLIOBQzuJae9jN6n8986W
X-Received: by 2002:a17:906:69d0:b0:a3c:af7e:1660 with SMTP id
g16-20020a17090669d000b00a3caf7e1660mr13643435ejs.22.1708551733492;
Wed, 21 Feb 2024 13:42:13 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708551733; cv=pass;
d=google.com; s=arc-20160816;
b=imN3pMkRG+TJavxJCajnFPnacEzPmZr5Vw00XInbK+CSFbGqkwthko89lfbohyQ6t9
8A/8ZsRauFuwgM5gogBT/nuWYLkjONrDfAFCRWlpTWKaoZwFdIslfWV9nV+hkyQSHc/R
a7v90EEf3PhswDdPOOq0RTzHff/iH2XjQAV1IHBl7UZma26MhW8GE9GPYWVF5s/6QAco
S2KJ2oQpU+0CbeWYia6STieSG/hNSqWC5Mw0gX+m5TYMdMJNcjpHNM6Ux2HwXxQJMdsW
xRerTtCqNoLRMyK84/2WG007IfZ1gTLNlRoGvR/7D2XnyaLKnlj0ArPX8vxAqv66wV1A
uVDg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
:mime-version:list-unsubscribe:list-subscribe:list-id:precedence
:subject:date:from:dkim-signature;
bh=dqGPM/8O4YzrlohKrXDY5OcHSMo6BOFuaLZIj2wce88=;
fh=hxP78V52DM11AQyZLnuoXzboSedtf373GjK953393po=;
b=YXDXZZEXlTAduczLcN+lVfe4Jz3o0kY5wArLB/BWRJPSwDfYeVBglrX5v9nH/t2J59
vd3LoDcOuU5yLKUv6uc48b8/k4RXqV7YKr4fQIczh1z315XVQwy8me5jHhrFgFHFv0N4
E/3p4VgPmM3BVk+cPyTwsTEu2zzpIUq97vtKY2xGW/9A7bS4qHEyQHW/hI4ry16fofRP
xw66bV4vskrSFRplt+eDBnq+cfDJbMYIrfcoweSibHd5y/qWXW91dN93lJzQPg8G3LQj
BpBOQYNmcL2SdPrbGuCR3nkJnxnC9n0R6N4aQHcc6uNPshF9dcTHnnHDilvavl9fkzvP
D1RA==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ScFEMz6F;
arc=pass (i=1 dkim=pass dkdomain=kernel.org);
spf=pass (google.com: domain of
linux-kernel+bounces-75542-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-75542-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
[2604:1380:4601:e00::3])
by mx.google.com with ESMTPS id
hr15-20020a1709073f8f00b00a3e8157211fsi3611762ejc.4.2024.02.21.13.42.13
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 21 Feb 2024 13:42:13 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-75542-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ScFEMz6F;
arc=pass (i=1 dkim=pass dkdomain=kernel.org);
spf=pass (google.com: domain of
linux-kernel+bounces-75542-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-75542-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by am.mirrors.kernel.org (Postfix) with ESMTPS id 3309F1F2518F
for <ouuuleilei@gmail.com>; Wed, 21 Feb 2024 21:35:09 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 1B4F7158D77;
Wed, 21 Feb 2024 21:25:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
header.b="ScFEMz6F"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
[10.30.226.201])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id EEBFF12B176;
Wed, 21 Feb 2024 21:25:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1708550707; cv=none;
b=nvK7NW0t3P35Ozc+byRM6qG0k1I5fm0Mx+SAORJbtZu31DwFeafs+K0A3k5hf3825pWO0QKtLMuwGqP/EU+sLopTb7FncyGKPcSdNUDhdB/KC5KKA1ygK7Wf7lh0Wx3uSQFPFzS8NuybOHRChlGlcFB38LLSSMIJsjJglr1BZC0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1708550707; c=relaxed/simple;
bh=CJx4jVGIRqQ1qdmTj2y9zLMKH38BdGpPQGSp5yBCQqY=;
h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
In-Reply-To:To:Cc;
b=RsSjfPSZE4aHzTEE1oVRx7CuTu3dE7UH05dTc66Nh9j45hHpH8G3mnn3MC0dnM1hDJnxQhgR0IsJcCDjD2vVyAGXoUZK/zbVpptTfPypISd4uoVcayc5zsIu8xRSJ+DdI4QGc2wUWoEPgYrZktaZD8ZaX122lO8gwihHQJ1NUJM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
header.b=ScFEMz6F; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPS id CB04AC32795;
Wed, 21 Feb 2024 21:25:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
s=k20201202; t=1708550706;
bh=CJx4jVGIRqQ1qdmTj2y9zLMKH38BdGpPQGSp5yBCQqY=;
h=From:Date:Subject:References:In-Reply-To:To:Cc:From;
b=ScFEMz6FlokZomeuAvsLqnXQTflRHEh6BIQBe96Ib9pULn8Wj4+DpC7Xfs8aTexs7
qTiVdQUGtX+RU3zggTNkWmIrVpcMUO6N+cwr43fGo9nWV/a5PLS4ItLlRmU9FbrqIB
5Fqw36ofvD0sLbq9fFeIkUSaRu2bFetOjiQk+SpXaVH/bo3+jCjulvqWK0vKRULblx
2LRZiCwub+3/tki2vXE72U2ySzZt7yQa0Fh+FnnVf6+9pIJpgArXMkOTlvYnR1Yx2p
pMyEmo3Yf/KuwhCrM2ulibMDJ6mZDj1XgQCNFQHu4B3b7bRKxg/Rx4wNmsitGS/MvI
AzKnC3SypEVcw==
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id B7938C48BEB;
Wed, 21 Feb 2024 21:25:06 +0000 (UTC)
From: "Seth Forshee (DigitalOcean)" <sforshee@kernel.org>
Date: Wed, 21 Feb 2024 15:24:46 -0600
Subject: [PATCH v2 15/25] security: call evm fscaps hooks from generic
security hooks
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20240221-idmap-fscap-refactor-v2-15-3039364623bd@kernel.org>
References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org>
In-Reply-To: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org>
To: Christian Brauner <brauner@kernel.org>,
Seth Forshee <sforshee@kernel.org>, Serge Hallyn <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
James Morris <jmorris@namei.org>, Alexander Viro <viro@zeniv.linux.org.uk>,
Jan Kara <jack@suse.cz>, Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>, Mimi Zohar <zohar@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Jonathan Corbet <corbet@lwn.net>, Miklos Szeredi <miklos@szeredi.hu>,
Amir Goldstein <amir73il@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, audit@vger.kernel.org,
selinux@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org
X-Mailer: b4 0.12.4
X-Developer-Signature: v=1; a=openpgp-sha256; l=1658; i=sforshee@kernel.org;
h=from:subject:message-id; bh=CJx4jVGIRqQ1qdmTj2y9zLMKH38BdGpPQGSp5yBCQqY=;
=?utf-8?q?b=3DowEBbQGS/pANAwAKAVMDma7l9DHJAcsmYgBl1molI6sVtDD31t+ZdHf1WoPke?=
=?utf-8?q?0imykwNoYOzlcEa_MLxxYsqJATMEAAEKAB0WIQSQnt+rKAvnETy4Hc9TA5mu5fQxy?=
=?utf-8?q?QUCZdZqJQAKCRBTA5mu5fQxyUmKB/_sG1SON2b9GiN9agwuQ8lNxw2IHmhmbxgz33?=
=?utf-8?q?hhQ2tViUIItDAJSIkNy5i0HyqiJgPzP/w1VR+NSBYZ3_rze6gn/V7wNsI6T4BHcLg?=
=?utf-8?q?Xfr/PP7enV45rcBxOGWDoeBgrvhVY2RIIRwv0+5nKw+ZUUoxMJyIXsguH_AQe19vJ?=
=?utf-8?q?zujrIFbKdZ5VySsugJ5uN9keqsl3z8Qth5BpJ4cml1+ab/U3rPxAwFa/t2OH6DxBK?=
=?utf-8?q?RvYF0c_GVb+YvhlZ+LDNcy1vbiuUqcuEeEatxNwdefLfn1dBPKNGW6/nY86XhjMB6?=
=?utf-8?q?6KBqJqPp/VEC20A/hPcB?= ne6Sf/61X39xbpD+uZnRFwaVm9Ag8L
X-Developer-Key: i=sforshee@kernel.org; a=openpgp;
fpr=2ABCA7498D83E1D32D51D3B5AB4800A62DB9F73A
X-Endpoint-Received:
by B4 Relay for sforshee@kernel.org/default with auth_id=103
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1791546342494552282
X-GMAIL-MSGID: 1791546342494552282
|
| Series |
fs: use type-safe uid representation for filesystem capabilities
|
|
Commit Message
Seth Forshee (DigitalOcean)
Feb. 21, 2024, 9:24 p.m. UTC
Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>
---
security/security.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
Comments
On Wed, Feb 21, 2024 at 4:25 PM Seth Forshee (DigitalOcean) <sforshee@kernel.org> wrote: > > Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org> > --- > security/security.c | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) First off, you've got to write *something* for the commit description, even if it is just a single sentence. > diff --git a/security/security.c b/security/security.c > index 0d210da9862c..f515d8430318 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2365,9 +2365,14 @@ int security_inode_remove_acl(struct mnt_idmap *idmap, > int security_inode_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, > const struct vfs_caps *caps, int flags) > { > + int ret; > + > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > return 0; > - return call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); > + ret = call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); > + if (ret) > + return ret; > + return evm_inode_set_fscaps(idmap, dentry, caps, flags); > } > > /** > @@ -2387,6 +2392,7 @@ void security_inode_post_set_fscaps(struct mnt_idmap *idmap, > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > return; > call_void_hook(inode_post_set_fscaps, idmap, dentry, caps, flags); > + evm_inode_post_set_fscaps(idmap, dentry, caps, flags); > } > > /** > @@ -2415,9 +2421,14 @@ int security_inode_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) > */ > int security_inode_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) > { > + int ret; > + > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > return 0; > - return call_int_hook(inode_remove_fscaps, 0, idmap, dentry); > + ret = call_int_hook(inode_remove_fscaps, 0, idmap, dentry); > + if (ret) > + return ret; > + return evm_inode_remove_fscaps(dentry); > } If you take a look at linux-next or the LSM tree's dev branch you'll see that we've gotten rid of the dedicated IMA and EVM hooks, promoting both IMA and EVM to "proper" LSMs that leverage the existing LSM hook infrastructure. In this patchset, and moving forward, please don't add dedicated IMA/EVM hooks like this, instead register them as LSM hook implementations with LSM_HOOK_INIT().
On Wed, Feb 21, 2024 at 06:43:43PM -0500, Paul Moore wrote: > On Wed, Feb 21, 2024 at 4:25 PM Seth Forshee (DigitalOcean) > <sforshee@kernel.org> wrote: > > > > Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org> > > --- > > security/security.c | 15 +++++++++++++-- > > 1 file changed, 13 insertions(+), 2 deletions(-) > > First off, you've got to write *something* for the commit description, > even if it is just a single sentence. > > > diff --git a/security/security.c b/security/security.c > > index 0d210da9862c..f515d8430318 100644 > > --- a/security/security.c > > +++ b/security/security.c > > @@ -2365,9 +2365,14 @@ int security_inode_remove_acl(struct mnt_idmap *idmap, > > int security_inode_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, > > const struct vfs_caps *caps, int flags) > > { > > + int ret; > > + > > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > > return 0; > > - return call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); > > + ret = call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); > > + if (ret) > > + return ret; > > + return evm_inode_set_fscaps(idmap, dentry, caps, flags); > > } > > > > /** > > @@ -2387,6 +2392,7 @@ void security_inode_post_set_fscaps(struct mnt_idmap *idmap, > > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > > return; > > call_void_hook(inode_post_set_fscaps, idmap, dentry, caps, flags); > > + evm_inode_post_set_fscaps(idmap, dentry, caps, flags); > > } > > > > /** > > @@ -2415,9 +2421,14 @@ int security_inode_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) > > */ > > int security_inode_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) > > { > > + int ret; > > + > > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > > return 0; > > - return call_int_hook(inode_remove_fscaps, 0, idmap, dentry); > > + ret = call_int_hook(inode_remove_fscaps, 0, idmap, dentry); > > + if (ret) > > + return ret; > > + return evm_inode_remove_fscaps(dentry); > > } > > If you take a look at linux-next or the LSM tree's dev branch you'll > see that we've gotten rid of the dedicated IMA and EVM hooks, > promoting both IMA and EVM to "proper" LSMs that leverage the existing > LSM hook infrastructure. In this patchset, and moving forward, please > don't add dedicated IMA/EVM hooks like this, instead register them as > LSM hook implementations with LSM_HOOK_INIT(). Yeah, I'm aware that work was going on and got applied recently. I've been assuming this change will go in through the vfs tree though, and I wasn't sure how you and Al/Christian would want to handle that dependency between your trees, so I held off on updating based off the LSM tree. I'm happy to update this for the next round though. Thanks, Seth
On Wed, Feb 21, 2024 at 7:20 PM Seth Forshee (DigitalOcean) <sforshee@kernel.org> wrote: > On Wed, Feb 21, 2024 at 06:43:43PM -0500, Paul Moore wrote: > > On Wed, Feb 21, 2024 at 4:25 PM Seth Forshee (DigitalOcean) > > <sforshee@kernel.org> wrote: > > > > > > Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org> > > > --- > > > security/security.c | 15 +++++++++++++-- > > > 1 file changed, 13 insertions(+), 2 deletions(-) > > > > First off, you've got to write *something* for the commit description, > > even if it is just a single sentence. > > > > > diff --git a/security/security.c b/security/security.c > > > index 0d210da9862c..f515d8430318 100644 > > > --- a/security/security.c > > > +++ b/security/security.c > > > @@ -2365,9 +2365,14 @@ int security_inode_remove_acl(struct mnt_idmap *idmap, > > > int security_inode_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, > > > const struct vfs_caps *caps, int flags) > > > { > > > + int ret; > > > + > > > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > > > return 0; > > > - return call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); > > > + ret = call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); > > > + if (ret) > > > + return ret; > > > + return evm_inode_set_fscaps(idmap, dentry, caps, flags); > > > } > > > > > > /** > > > @@ -2387,6 +2392,7 @@ void security_inode_post_set_fscaps(struct mnt_idmap *idmap, > > > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > > > return; > > > call_void_hook(inode_post_set_fscaps, idmap, dentry, caps, flags); > > > + evm_inode_post_set_fscaps(idmap, dentry, caps, flags); > > > } > > > > > > /** > > > @@ -2415,9 +2421,14 @@ int security_inode_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) > > > */ > > > int security_inode_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) > > > { > > > + int ret; > > > + > > > if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > > > return 0; > > > - return call_int_hook(inode_remove_fscaps, 0, idmap, dentry); > > > + ret = call_int_hook(inode_remove_fscaps, 0, idmap, dentry); > > > + if (ret) > > > + return ret; > > > + return evm_inode_remove_fscaps(dentry); > > > } > > > > If you take a look at linux-next or the LSM tree's dev branch you'll > > see that we've gotten rid of the dedicated IMA and EVM hooks, > > promoting both IMA and EVM to "proper" LSMs that leverage the existing > > LSM hook infrastructure. In this patchset, and moving forward, please > > don't add dedicated IMA/EVM hooks like this, instead register them as > > LSM hook implementations with LSM_HOOK_INIT(). > > Yeah, I'm aware that work was going on and got applied recently. I've > been assuming this change will go in through the vfs tree though, and I > wasn't sure how you and Al/Christian would want to handle that > dependency between your trees, so I held off on updating based off the > LSM tree. I'm happy to update this for the next round though. Okay, good, I just wanted to make sure you were aware of the changes. Since the merge window is only a couple of weeks away I'm guessing this isn't something we'll need to worry about in Linus' tree as the LSM/IMA/EVM changes are slated to go up during the next merge window and I'm guessing this will likely go in after that, targeting the following merge window at the earliest.
diff --git a/security/security.c b/security/security.c index 0d210da9862c..f515d8430318 100644 --- a/security/security.c +++ b/security/security.c @@ -2365,9 +2365,14 @@ int security_inode_remove_acl(struct mnt_idmap *idmap, int security_inode_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry, const struct vfs_caps *caps, int flags) { + int ret; + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - return call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); + ret = call_int_hook(inode_set_fscaps, 0, idmap, dentry, caps, flags); + if (ret) + return ret; + return evm_inode_set_fscaps(idmap, dentry, caps, flags); } /** @@ -2387,6 +2392,7 @@ void security_inode_post_set_fscaps(struct mnt_idmap *idmap, if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return; call_void_hook(inode_post_set_fscaps, idmap, dentry, caps, flags); + evm_inode_post_set_fscaps(idmap, dentry, caps, flags); } /** @@ -2415,9 +2421,14 @@ int security_inode_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) */ int security_inode_remove_fscaps(struct mnt_idmap *idmap, struct dentry *dentry) { + int ret; + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - return call_int_hook(inode_remove_fscaps, 0, idmap, dentry); + ret = call_int_hook(inode_remove_fscaps, 0, idmap, dentry); + if (ret) + return ret; + return evm_inode_remove_fscaps(dentry); } /**