adulau/aha
1
0
Fork 0
mirror of https://github.com/adulau/aha.git synced 2024-12-28 03:36:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

LSM: imbed ima calls in the security hooks

Browse source 
Based on discussions on LKML and LSM, where there are consecutive
security_ and ima_ calls in the vfs layer, move the ima_ calls to
the existing security_ hooks.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Mimi Zohar 2009-10-22 17:30:13 -04:00 committed by James Morris
parent 6e8e16c7bc
commit 6c21a7fb49
6 changed files with 26 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
fs/exec.c
View file

@ -46,7 +46,6 @@
#include <linux/proc_fs.h> #include <linux/proc_fs.h>
#include <linux/mount.h> #include <linux/mount.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/tsacct_kern.h> #include <linux/tsacct_kern.h>
#include <linux/cn_proc.h> #include <linux/cn_proc.h>
@ -1209,9 +1208,6 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
struct linux_binfmt *fmt; struct linux_binfmt *fmt;
retval = security_bprm_check(bprm); retval = security_bprm_check(bprm);
if (retval)
return retval;
retval = ima_bprm_check(bprm);
if (retval) if (retval)
return retval; return retval;

2
fs/file_table.c
View file

@ -13,7 +13,6 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/eventpoll.h> #include <linux/eventpoll.h>
#include <linux/rcupdate.h> #include <linux/rcupdate.h>
#include <linux/mount.h> #include <linux/mount.h>
@ -280,7 +279,6 @@ void __fput(struct file *file)
if (file->f_op && file->f_op->release) if (file->f_op && file->f_op->release)
file->f_op->release(inode, file); file->f_op->release(inode, file);
security_file_free(file); security_file_free(file);
ima_file_free(file);
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL)) if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
cdev_put(inode->i_cdev); cdev_put(inode->i_cdev);
fops_put(file->f_op); fops_put(file->f_op);

10
fs/inode.c
View file

@ -18,7 +18,6 @@
#include <linux/hash.h> #include <linux/hash.h>
#include <linux/swap.h> #include <linux/swap.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/pagemap.h> #include <linux/pagemap.h>
#include <linux/cdev.h> #include <linux/cdev.h>
#include <linux/bootmem.h> #include <linux/bootmem.h>
@ -157,11 +156,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
if (security_inode_alloc(inode)) if (security_inode_alloc(inode))
goto out; goto out;
/* allocate and initialize an i_integrity */
if (ima_inode_alloc(inode))
goto out_free_security;
spin_lock_init(&inode->i_lock); spin_lock_init(&inode->i_lock);
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
@ -201,9 +195,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
#endif #endif
return 0; return 0;
out_free_security:
security_inode_free(inode);
out: out:
return -ENOMEM; return -ENOMEM;
} }
@ -235,7 +226,6 @@ static struct inode *alloc_inode(struct super_block *sb)
void __destroy_inode(struct inode *inode) void __destroy_inode(struct inode *inode)
{ {
BUG_ON(inode_has_buffers(inode)); BUG_ON(inode_has_buffers(inode));
ima_inode_free(inode);
security_inode_free(inode); security_inode_free(inode);
fsnotify_inode_delete(inode); fsnotify_inode_delete(inode);
#ifdef CONFIG_FS_POSIX_ACL #ifdef CONFIG_FS_POSIX_ACL

4
mm/mmap.c
View file

@ -20,7 +20,6 @@
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/personality.h> #include <linux/personality.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/hugetlb.h> #include <linux/hugetlb.h>
#include <linux/profile.h> #include <linux/profile.h>
#include <linux/module.h> #include <linux/module.h>
@ -1059,9 +1058,6 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
} }
error = security_file_mmap(file, reqprot, prot, flags, addr, 0); error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
if (error)
return error;
error = ima_file_mmap(file, prot);
if (error) if (error)
return error; return error;

1
security/integrity/ima/Kconfig
View file

@ -3,6 +3,7 @@
config IMA config IMA
bool "Integrity Measurement Architecture(IMA)" bool "Integrity Measurement Architecture(IMA)"
depends on ACPI depends on ACPI
depends on SECURITY
select SECURITYFS select SECURITYFS
select CRYPTO select CRYPTO
select CRYPTO_HMAC select CRYPTO_HMAC

28
security/security.c
View file

@ -16,6 +16,7 @@
#include <linux/init.h> #include <linux/init.h>
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
/* Boot-time LSM user choice */ /* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
@ -235,7 +236,12 @@ int security_bprm_set_creds(struct linux_binprm *bprm)
int security_bprm_check(struct linux_binprm *bprm) int security_bprm_check(struct linux_binprm *bprm)
{ {
return security_ops->bprm_check_security(bprm); int ret;
ret = security_ops->bprm_check_security(bprm);
if (ret)
return ret;
return ima_bprm_check(bprm);
} }
void security_bprm_committing_creds(struct linux_binprm *bprm) void security_bprm_committing_creds(struct linux_binprm *bprm)
@ -352,12 +358,21 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode) int security_inode_alloc(struct inode *inode)
{ {
int ret;
inode->i_security = NULL; inode->i_security = NULL;
return security_ops->inode_alloc_security(inode); ret = security_ops->inode_alloc_security(inode);
if (ret)
return ret;
ret = ima_inode_alloc(inode);
if (ret)
security_inode_free(inode);
return ret;
} }
void security_inode_free(struct inode *inode) void security_inode_free(struct inode *inode)
{ {
ima_inode_free(inode);
security_ops->inode_free_security(inode); security_ops->inode_free_security(inode);
} }
@ -648,6 +663,8 @@ int security_file_alloc(struct file *file)
void security_file_free(struct file *file) void security_file_free(struct file *file)
{ {
security_ops->file_free_security(file); security_ops->file_free_security(file);
if (file->f_dentry)
ima_file_free(file);
} }
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
@ -659,7 +676,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags, unsigned long prot, unsigned long flags,
unsigned long addr, unsigned long addr_only) unsigned long addr, unsigned long addr_only)
{ {
return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only); int ret;
ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
if (ret)
return ret;
return ima_file_mmap(file, prot);
} }
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,