xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ima: use "ima_hooks" enum as function argument

Browse Source 
Cleanup the function arguments by using "ima_hooks" enumerator as needed.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Petko Manolov <petkan@mip-labs.com>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
This commit is contained in:
Mimi Zohar
2016-01-14 20:59:14 -05:00
parent b5269ab3e2
commit 4ad87a3d74
5 changed files with 37 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
security/integrity/ima/ima.h
View File

@@ -137,9 +137,18 @@ static inline unsigned long ima_hash_key(u8 *digest)
return hash_long(*digest, IMA_HASH_BITS); return hash_long(*digest, IMA_HASH_BITS);
} }
enum ima_hooks {
FILE_CHECK = 1,
MMAP_CHECK,
BPRM_CHECK,
MODULE_CHECK,
FIRMWARE_CHECK,
POST_SETATTR
};
/* LIM API function definitions */ /* LIM API function definitions */
int ima_get_action(struct inode *inode, int mask, int function); int ima_get_action(struct inode *inode, int mask, enum ima_hooks func);
int ima_must_measure(struct inode *inode, int mask, int function); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
int ima_collect_measurement(struct integrity_iint_cache *iint, int ima_collect_measurement(struct integrity_iint_cache *iint,
struct file *file, enum hash_algo algo); struct file *file, enum hash_algo algo);
void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
@@ -156,8 +165,6 @@ void ima_free_template_entry(struct ima_template_entry *entry);
const char *ima_d_path(struct path *path, char **pathbuf); const char *ima_d_path(struct path *path, char **pathbuf);
/* IMA policy related functions */ /* IMA policy related functions */
enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK, FIRMWARE_CHECK, POST_SETATTR };
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
int flags); int flags);
void ima_init_policy(void); void ima_init_policy(void);
@@ -179,21 +186,22 @@ int ima_policy_show(struct seq_file *m, void *v);
#define IMA_APPRAISE_FIRMWARE 0x10 #define IMA_APPRAISE_FIRMWARE 0x10
#ifdef CONFIG_IMA_APPRAISE #ifdef CONFIG_IMA_APPRAISE
int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, int ima_appraise_measurement(enum ima_hooks func,
struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename, struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value, struct evm_ima_xattr_data *xattr_value,
int xattr_len, int opened); int xattr_len, int opened);
int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
int func); enum ima_hooks func);
enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
int xattr_len); int xattr_len);
int ima_read_xattr(struct dentry *dentry, int ima_read_xattr(struct dentry *dentry,
struct evm_ima_xattr_data **xattr_value); struct evm_ima_xattr_data **xattr_value);
#else #else
static inline int ima_appraise_measurement(int func, static inline int ima_appraise_measurement(enum ima_hooks func,
struct integrity_iint_cache *iint, struct integrity_iint_cache *iint,
struct file *file, struct file *file,
const unsigned char *filename, const unsigned char *filename,
@@ -215,7 +223,8 @@ static inline void ima_update_xattr(struct integrity_iint_cache *iint,
} }
static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache
*iint, int func) *iint,
enum ima_hooks func)
{ {
return INTEGRITY_UNKNOWN; return INTEGRITY_UNKNOWN;
} }

6
security/integrity/ima/ima_api.c
View File

@@ -156,7 +156,7 @@ err_out:
* ima_get_action - appraise & measure decision based on policy. * ima_get_action - appraise & measure decision based on policy.
* @inode: pointer to inode to measure * @inode: pointer to inode to measure
* @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
* @function: calling function (FILE_CHECK, BPRM_CHECK, MMAP_CHECK, MODULE_CHECK) * @func: caller identifier
* *
* The policy is defined in terms of keypairs: * The policy is defined in terms of keypairs:
* subj=, obj=, type=, func=, mask=, fsmagic= * subj=, obj=, type=, func=, mask=, fsmagic=
@@ -168,13 +168,13 @@ err_out:
* Returns IMA_MEASURE, IMA_APPRAISE mask. * Returns IMA_MEASURE, IMA_APPRAISE mask.
* *
*/ */
int ima_get_action(struct inode *inode, int mask, int function) int ima_get_action(struct inode *inode, int mask, enum ima_hooks func)
{ {
int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
flags &= ima_policy_flag; flags &= ima_policy_flag;
return ima_match_policy(inode, function, mask, flags); return ima_match_policy(inode, func, mask, flags);
} }
/* /*

13
security/integrity/ima/ima_appraise.c
View File

@@ -67,7 +67,7 @@ static int ima_fix_xattr(struct dentry *dentry,
/* Return specific func appraised cached result */ /* Return specific func appraised cached result */
enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
int func) enum ima_hooks func)
{ {
switch (func) { switch (func) {
case MMAP_CHECK: case MMAP_CHECK:
@@ -85,7 +85,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
} }
static void ima_set_cache_status(struct integrity_iint_cache *iint, static void ima_set_cache_status(struct integrity_iint_cache *iint,
int func, enum integrity_status status) enum ima_hooks func,
enum integrity_status status)
{ {
switch (func) { switch (func) {
case MMAP_CHECK: case MMAP_CHECK:
@@ -103,11 +104,11 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
case FILE_CHECK: case FILE_CHECK:
default: default:
iint->ima_file_status = status; iint->ima_file_status = status;
break;
} }
} }
static void ima_cache_flags(struct integrity_iint_cache *iint, int func) static void ima_cache_flags(struct integrity_iint_cache *iint,
enum ima_hooks func)
{ {
switch (func) { switch (func) {
case MMAP_CHECK: case MMAP_CHECK:
@@ -125,7 +126,6 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
case FILE_CHECK: case FILE_CHECK:
default: default:
iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
break;
} }
} }
@@ -185,7 +185,8 @@ int ima_read_xattr(struct dentry *dentry,
* *
* Return 0 on success, error code otherwise * Return 0 on success, error code otherwise
*/ */
int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, int ima_appraise_measurement(enum ima_hooks func,
struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename, struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value, struct evm_ima_xattr_data *xattr_value,
int xattr_len, int opened) int xattr_len, int opened)

14
security/integrity/ima/ima_main.c
View File

@@ -153,8 +153,8 @@ void ima_file_free(struct file *file)
ima_check_last_writer(iint, inode, file); ima_check_last_writer(iint, inode, file);
} }
static int process_measurement(struct file *file, int mask, int function, static int process_measurement(struct file *file, int mask,
int opened) enum ima_hooks func, int opened)
{ {
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint = NULL; struct integrity_iint_cache *iint = NULL;
@@ -174,8 +174,8 @@ static int process_measurement(struct file *file, int mask, int function,
* bitmask based on the appraise/audit/measurement policy. * bitmask based on the appraise/audit/measurement policy.
* Included is the appraise submask. * Included is the appraise submask.
*/ */
action = ima_get_action(inode, mask, function); action = ima_get_action(inode, mask, func);
violation_check = ((function == FILE_CHECK || function == MMAP_CHECK) && violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
(ima_policy_flag & IMA_MEASURE)); (ima_policy_flag & IMA_MEASURE));
if (!action && !violation_check) if (!action && !violation_check)
return 0; return 0;
@@ -184,7 +184,7 @@ static int process_measurement(struct file *file, int mask, int function,
/* Is the appraise rule hook specific? */ /* Is the appraise rule hook specific? */
if (action & IMA_FILE_APPRAISE) if (action & IMA_FILE_APPRAISE)
function = FILE_CHECK; func = FILE_CHECK;
inode_lock(inode); inode_lock(inode);
@@ -214,7 +214,7 @@ static int process_measurement(struct file *file, int mask, int function,
/* Nothing to do, just return existing appraised status */ /* Nothing to do, just return existing appraised status */
if (!action) { if (!action) {
if (must_appraise) if (must_appraise)
rc = ima_get_cache_status(iint, function); rc = ima_get_cache_status(iint, func);
goto out_digsig; goto out_digsig;
} }
@@ -240,7 +240,7 @@ static int process_measurement(struct file *file, int mask, int function,
ima_store_measurement(iint, file, pathname, ima_store_measurement(iint, file, pathname,
xattr_value, xattr_len); xattr_value, xattr_len);
if (action & IMA_APPRAISE_SUBMASK) if (action & IMA_APPRAISE_SUBMASK)
rc = ima_appraise_measurement(function, iint, file, pathname, rc = ima_appraise_measurement(func, iint, file, pathname,
xattr_value, xattr_len, opened); xattr_value, xattr_len, opened);
if (action & IMA_AUDIT) if (action & IMA_AUDIT)
ima_audit_measurement(iint, pathname); ima_audit_measurement(iint, pathname);

6
security/integrity/ima/ima_policy.c
View File

@@ -207,8 +207,8 @@ static void ima_lsm_update_rules(void)
* *
* Returns true on rule match, false on failure. * Returns true on rule match, false on failure.
*/ */
static bool ima_match_rules(struct ima_rule_entry *rule, static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
struct inode *inode, enum ima_hooks func, int mask) enum ima_hooks func, int mask)
{ {
struct task_struct *tsk = current; struct task_struct *tsk = current;
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
@@ -289,7 +289,7 @@ retry:
* In addition to knowing that we need to appraise the file in general, * In addition to knowing that we need to appraise the file in general,
* we need to differentiate between calling hooks, for hook specific rules. * we need to differentiate between calling hooks, for hook specific rules.
*/ */
static int get_subaction(struct ima_rule_entry *rule, int func) static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
{ {
if (!(rule->flags & IMA_FUNC)) if (!(rule->flags & IMA_FUNC))
return IMA_FILE_APPRAISE; return IMA_FILE_APPRAISE;