integrity: IMA hooks
This patch replaces the generic integrity hooks, for which IMA registered itself, with IMA integrity hooks in the appropriate places directly in the fs directory. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Mimi Zohar
@@ -24,6 +24,7 @@
|
||||
#include <linux/fsnotify.h>
|
||||
#include <linux/personality.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/ima.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/mount.h>
|
||||
#include <linux/audit.h>
|
||||
@@ -860,6 +861,8 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
|
||||
err = exec_permission_lite(inode);
|
||||
if (err == -EAGAIN)
|
||||
err = vfs_permission(nd, MAY_EXEC);
|
||||
if (!err)
|
||||
err = ima_path_check(&nd->path, MAY_EXEC);
|
||||
if (err)
|
||||
break;
|
||||
|
||||
@@ -1525,6 +1528,11 @@ int may_open(struct nameidata *nd, int acc_mode, int flag)
|
||||
error = vfs_permission(nd, acc_mode);
|
||||
if (error)
|
||||
return error;
|
||||
|
||||
error = ima_path_check(&nd->path,
|
||||
acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
|
||||
if (error)
|
||||
return error;
|
||||
/*
|
||||
* An append-only file must be opened in append mode for writing.
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user