mirror of https://gitee.com/openkylin/linux.git
integrity: IMA hooks
This patch replaces the generic integrity hooks, for which IMA registered itself, with IMA integrity hooks in the appropriate places directly in the fs directory. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
659aaf2bb5
commit
6146f0d5e4
|
@ -44,6 +44,7 @@ parameter is applicable:
|
||||||
FB The frame buffer device is enabled.
|
FB The frame buffer device is enabled.
|
||||||
HW Appropriate hardware is enabled.
|
HW Appropriate hardware is enabled.
|
||||||
IA-64 IA-64 architecture is enabled.
|
IA-64 IA-64 architecture is enabled.
|
||||||
|
IMA Integrity measurement architecture is enabled.
|
||||||
IOSCHED More than one I/O scheduler is enabled.
|
IOSCHED More than one I/O scheduler is enabled.
|
||||||
IP_PNP IP DHCP, BOOTP, or RARP is enabled.
|
IP_PNP IP DHCP, BOOTP, or RARP is enabled.
|
||||||
ISAPNP ISA PnP code is enabled.
|
ISAPNP ISA PnP code is enabled.
|
||||||
|
|
10
fs/exec.c
10
fs/exec.c
|
@ -45,6 +45,7 @@
|
||||||
#include <linux/proc_fs.h>
|
#include <linux/proc_fs.h>
|
||||||
#include <linux/mount.h>
|
#include <linux/mount.h>
|
||||||
#include <linux/security.h>
|
#include <linux/security.h>
|
||||||
|
#include <linux/ima.h>
|
||||||
#include <linux/syscalls.h>
|
#include <linux/syscalls.h>
|
||||||
#include <linux/tsacct_kern.h>
|
#include <linux/tsacct_kern.h>
|
||||||
#include <linux/cn_proc.h>
|
#include <linux/cn_proc.h>
|
||||||
|
@ -128,6 +129,9 @@ asmlinkage long sys_uselib(const char __user * library)
|
||||||
goto exit;
|
goto exit;
|
||||||
|
|
||||||
error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN);
|
error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN);
|
||||||
|
if (error)
|
||||||
|
goto exit;
|
||||||
|
error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN);
|
||||||
if (error)
|
if (error)
|
||||||
goto exit;
|
goto exit;
|
||||||
|
|
||||||
|
@ -681,6 +685,9 @@ struct file *open_exec(const char *name)
|
||||||
goto out_path_put;
|
goto out_path_put;
|
||||||
|
|
||||||
err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN);
|
err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN);
|
||||||
|
if (err)
|
||||||
|
goto out_path_put;
|
||||||
|
err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN);
|
||||||
if (err)
|
if (err)
|
||||||
goto out_path_put;
|
goto out_path_put;
|
||||||
|
|
||||||
|
@ -1207,6 +1214,9 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
retval = security_bprm_check(bprm);
|
retval = security_bprm_check(bprm);
|
||||||
|
if (retval)
|
||||||
|
return retval;
|
||||||
|
retval = ima_bprm_check(bprm);
|
||||||
if (retval)
|
if (retval)
|
||||||
return retval;
|
return retval;
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
#include <linux/fs.h>
|
#include <linux/fs.h>
|
||||||
#include <linux/security.h>
|
#include <linux/security.h>
|
||||||
|
#include <linux/ima.h>
|
||||||
#include <linux/eventpoll.h>
|
#include <linux/eventpoll.h>
|
||||||
#include <linux/rcupdate.h>
|
#include <linux/rcupdate.h>
|
||||||
#include <linux/mount.h>
|
#include <linux/mount.h>
|
||||||
|
@ -276,6 +277,7 @@ void __fput(struct file *file)
|
||||||
if (file->f_op && file->f_op->release)
|
if (file->f_op && file->f_op->release)
|
||||||
file->f_op->release(inode, file);
|
file->f_op->release(inode, file);
|
||||||
security_file_free(file);
|
security_file_free(file);
|
||||||
|
ima_file_free(file);
|
||||||
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
|
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
|
||||||
cdev_put(inode->i_cdev);
|
cdev_put(inode->i_cdev);
|
||||||
fops_put(file->f_op);
|
fops_put(file->f_op);
|
||||||
|
|
24
fs/inode.c
24
fs/inode.c
|
@ -17,6 +17,7 @@
|
||||||
#include <linux/hash.h>
|
#include <linux/hash.h>
|
||||||
#include <linux/swap.h>
|
#include <linux/swap.h>
|
||||||
#include <linux/security.h>
|
#include <linux/security.h>
|
||||||
|
#include <linux/ima.h>
|
||||||
#include <linux/pagemap.h>
|
#include <linux/pagemap.h>
|
||||||
#include <linux/cdev.h>
|
#include <linux/cdev.h>
|
||||||
#include <linux/bootmem.h>
|
#include <linux/bootmem.h>
|
||||||
|
@ -144,13 +145,13 @@ struct inode *inode_init_always(struct super_block *sb, struct inode *inode)
|
||||||
inode->i_cdev = NULL;
|
inode->i_cdev = NULL;
|
||||||
inode->i_rdev = 0;
|
inode->i_rdev = 0;
|
||||||
inode->dirtied_when = 0;
|
inode->dirtied_when = 0;
|
||||||
if (security_inode_alloc(inode)) {
|
|
||||||
if (inode->i_sb->s_op->destroy_inode)
|
if (security_inode_alloc(inode))
|
||||||
inode->i_sb->s_op->destroy_inode(inode);
|
goto out_free_inode;
|
||||||
else
|
|
||||||
kmem_cache_free(inode_cachep, (inode));
|
/* allocate and initialize an i_integrity */
|
||||||
return NULL;
|
if (ima_inode_alloc(inode))
|
||||||
}
|
goto out_free_security;
|
||||||
|
|
||||||
spin_lock_init(&inode->i_lock);
|
spin_lock_init(&inode->i_lock);
|
||||||
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
|
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
|
||||||
|
@ -186,6 +187,15 @@ struct inode *inode_init_always(struct super_block *sb, struct inode *inode)
|
||||||
inode->i_mapping = mapping;
|
inode->i_mapping = mapping;
|
||||||
|
|
||||||
return inode;
|
return inode;
|
||||||
|
|
||||||
|
out_free_security:
|
||||||
|
security_inode_free(inode);
|
||||||
|
out_free_inode:
|
||||||
|
if (inode->i_sb->s_op->destroy_inode)
|
||||||
|
inode->i_sb->s_op->destroy_inode(inode);
|
||||||
|
else
|
||||||
|
kmem_cache_free(inode_cachep, (inode));
|
||||||
|
return NULL;
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(inode_init_always);
|
EXPORT_SYMBOL(inode_init_always);
|
||||||
|
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
#include <linux/fsnotify.h>
|
#include <linux/fsnotify.h>
|
||||||
#include <linux/personality.h>
|
#include <linux/personality.h>
|
||||||
#include <linux/security.h>
|
#include <linux/security.h>
|
||||||
|
#include <linux/ima.h>
|
||||||
#include <linux/syscalls.h>
|
#include <linux/syscalls.h>
|
||||||
#include <linux/mount.h>
|
#include <linux/mount.h>
|
||||||
#include <linux/audit.h>
|
#include <linux/audit.h>
|
||||||
|
@ -860,6 +861,8 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
|
||||||
err = exec_permission_lite(inode);
|
err = exec_permission_lite(inode);
|
||||||
if (err == -EAGAIN)
|
if (err == -EAGAIN)
|
||||||
err = vfs_permission(nd, MAY_EXEC);
|
err = vfs_permission(nd, MAY_EXEC);
|
||||||
|
if (!err)
|
||||||
|
err = ima_path_check(&nd->path, MAY_EXEC);
|
||||||
if (err)
|
if (err)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
@ -1525,6 +1528,11 @@ int may_open(struct nameidata *nd, int acc_mode, int flag)
|
||||||
error = vfs_permission(nd, acc_mode);
|
error = vfs_permission(nd, acc_mode);
|
||||||
if (error)
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
|
|
||||||
|
error = ima_path_check(&nd->path,
|
||||||
|
acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
|
||||||
|
if (error)
|
||||||
|
return error;
|
||||||
/*
|
/*
|
||||||
* An append-only file must be opened in append mode for writing.
|
* An append-only file must be opened in append mode for writing.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2008 IBM Corporation
|
||||||
|
* Author: Mimi Zohar <zohar@us.ibm.com>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
* the Free Software Foundation, version 2 of the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <linux/fs.h>
|
||||||
|
|
||||||
|
#ifndef _LINUX_IMA_H
|
||||||
|
#define _LINUX_IMA_H
|
||||||
|
|
||||||
|
static inline int ima_bprm_check(struct linux_binprm *bprm)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int ima_inode_alloc(struct inode *inode)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void ima_inode_free(struct inode *inode)
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int ima_path_check(struct path *path, int mask)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void ima_file_free(struct file *file)
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int ima_file_mmap(struct file *file, unsigned long prot)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif /* _LINUX_IMA_H */
|
|
@ -20,6 +20,7 @@
|
||||||
#include <linux/fs.h>
|
#include <linux/fs.h>
|
||||||
#include <linux/personality.h>
|
#include <linux/personality.h>
|
||||||
#include <linux/security.h>
|
#include <linux/security.h>
|
||||||
|
#include <linux/ima.h>
|
||||||
#include <linux/hugetlb.h>
|
#include <linux/hugetlb.h>
|
||||||
#include <linux/profile.h>
|
#include <linux/profile.h>
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
|
@ -1048,6 +1049,9 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr,
|
||||||
}
|
}
|
||||||
|
|
||||||
error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
|
error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
|
||||||
|
if (error)
|
||||||
|
return error;
|
||||||
|
error = ima_file_mmap(file, prot);
|
||||||
if (error)
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue