Skip to content

K
Kernel

openeuler / Kernel
1 年多 前同步成功

通知 8
Star 0
Fork 0
K
Kernel
切换分支/标签
查找文件 普通视图历史永久链接Permalink
ima.h 6.2 KB
Newer Older
T
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441  
Thomas Gleixner 已提交
1 
/* SPDX-License-Identifier: GPL-2.0-only */
M
integrity: IMA hooks  
Mimi Zohar 已提交
2 3 4 5 6 7 8 9 
/*
 * Copyright (C) 2008 IBM Corporation
 * Author: Mimi Zohar <zohar@us.ibm.com>
 */

#ifndef _LINUX_IMA_H
#define _LINUX_IMA_H
S
fs/kernel_read_file: Split into separate include file  
Scott Branden 已提交
10 
#include <linux/kernel_read_file.h>
M
integrity: shmem zero fix  
Mimi Zohar 已提交
11 
#include <linux/fs.h>
M
ima: based on policy require signed kexec kernel images  
Mimi Zohar 已提交
12 
#include <linux/security.h>
M
ima: on soft reboot, save the measurement list  
Mimi Zohar 已提交
13 
#include <linux/kexec.h>
M
integrity: shmem zero fix  
Mimi Zohar 已提交
14 15 
struct linux_binprm;
K
ima: Introduce ima namespace  
Krzysztof Struczynski 已提交
16 17 18 
struct nsproxy;
struct task_struct;
M
integrity: IMA as an integrity service provider  
Mimi Zohar 已提交
19 20 
#ifdef CONFIG_IMA
extern int ima_bprm_check(struct linux_binprm *bprm);
A
IMA: don't propagate opened through the entire thing  
Al Viro 已提交
21 
extern int ima_file_check(struct file *file, int mask);
M
ima: define ima_post_create_tmpfile() hook and add missing call  
Mimi Zohar 已提交
22 
extern void ima_post_create_tmpfile(struct inode *inode);
M
integrity: IMA as an integrity service provider  
Mimi Zohar 已提交
23 24 
extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long prot);
M
ima: verify mprotect change is consistent with mmap policy  
Mimi Zohar 已提交
25 
extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
K
LSM: Introduce kernel_post_load_data() hook  
Kees Cook 已提交
26 27 28 
extern int ima_load_data(enum kernel_load_data_id id, bool contents);
extern int ima_post_load_data(char *buf, loff_t size,
			      enum kernel_load_data_id id, char *description);
K
LSM: Add "contents" flag to kernel_read_file hook  
Kees Cook 已提交
29 30 
extern int ima_read_file(struct file *file, enum kernel_read_file_id id,
			 bool contents);
M
ima: define a new hook to measure and appraise a file already in memory  
Mimi Zohar 已提交
31 32 
extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
			      enum kernel_read_file_id id);
M
ima: add support for creating files using the mknodat syscall  
Mimi Zohar 已提交
33 
extern void ima_post_path_mknod(struct dentry *dentry);
F
ima: add the ability to query the cached hash of a given file  
Florent Revest 已提交
34 
extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);
T
ima: Support additional conditionals in the KEXEC_CMDLINE hook function  
Tyler Hicks 已提交
35 
extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);
M
integrity: IMA as an integrity service provider  
Mimi Zohar 已提交
36
M
ima: on soft reboot, save the measurement list  
Mimi Zohar 已提交
37 38 39 40 
#ifdef CONFIG_IMA_KEXEC
extern void ima_add_kexec_buffer(struct kimage *image);
#endif
N
ima: add a new CONFIG for loading arch-specific policies  
Nayna Jain 已提交
41 
#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
N
x86/ima: define arch_ima_get_secureboot  
Nayna Jain 已提交
42 
extern bool arch_ima_get_secureboot(void);
E
x86/ima: define arch_get_ima_policy() for x86  
Eric Richter 已提交
43 
extern const char * const *arch_get_ima_policy(void);
N
x86/ima: define arch_ima_get_secureboot  
Nayna Jain 已提交
44 45 46 47 48 49 
#else
static inline bool arch_ima_get_secureboot(void)
{
	return false;
}
N
ima: add support for arch specific policies  
Nayna Jain 已提交
50 51 52 53 
static inline const char * const *arch_get_ima_policy(void)
{
	return NULL;
}
E
x86/ima: define arch_get_ima_policy() for x86  
Eric Richter 已提交
54 
#endif
N
ima: add support for arch specific policies  
Nayna Jain 已提交
55
M
integrity: IMA as an integrity service provider  
Mimi Zohar 已提交
56 
#else
M
integrity: IMA hooks  
Mimi Zohar 已提交
57 58 59 60 61 
static inline int ima_bprm_check(struct linux_binprm *bprm)
{
	return 0;
}
A
IMA: don't propagate opened through the entire thing  
Al Viro 已提交
62 
static inline int ima_file_check(struct file *file, int mask)
M
integrity: IMA hooks  
Mimi Zohar 已提交
63 64 65 66 
{
	return 0;
}
M
ima: define ima_post_create_tmpfile() hook and add missing call  
Mimi Zohar 已提交
67 68 69 70 
static inline void ima_post_create_tmpfile(struct inode *inode)
{
}
M
integrity: IMA hooks  
Mimi Zohar 已提交
71 72 73 74 75 76 77 78 79 
static inline void ima_file_free(struct file *file)
{
	return;
}

static inline int ima_file_mmap(struct file *file, unsigned long prot)
{
	return 0;
}
M
ima: add inode_post_setattr call  
Mimi Zohar 已提交
80
M
ima: verify mprotect change is consistent with mmap policy  
Mimi Zohar 已提交
81 82 83 84 85 86 
static inline int ima_file_mprotect(struct vm_area_struct *vma,
				    unsigned long prot)
{
	return 0;
}
K
LSM: Introduce kernel_post_load_data() hook  
Kees Cook 已提交
87 88 89 90 91 92 93 94 
static inline int ima_load_data(enum kernel_load_data_id id, bool contents)
{
	return 0;
}

static inline int ima_post_load_data(char *buf, loff_t size,
				     enum kernel_load_data_id id,
				     char *description)
M
ima: based on policy require signed kexec kernel images  
Mimi Zohar 已提交
95 96 97 98 
{
	return 0;
}
K
LSM: Add "contents" flag to kernel_read_file hook  
Kees Cook 已提交
99 100 
static inline int ima_read_file(struct file *file, enum kernel_read_file_id id,
				bool contents)
M
security: define kernel_read_file hook  
Mimi Zohar 已提交
101 102 103 104 
{
	return 0;
}
M
ima: define a new hook to measure and appraise a file already in memory  
Mimi Zohar 已提交
105 106 107 108 109 110 
static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,
				     enum kernel_read_file_id id)
{
	return 0;
}
M
ima: add support for creating files using the mknodat syscall  
Mimi Zohar 已提交
111 112 113 114 115 
static inline void ima_post_path_mknod(struct dentry *dentry)
{
	return;
}
F
ima: add the ability to query the cached hash of a given file  
Florent Revest 已提交
116 117 118 119 120 
static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size)
{
	return -EOPNOTSUPP;
}
T
ima: Support additional conditionals in the KEXEC_CMDLINE hook function  
Tyler Hicks 已提交
121 
static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {}
P
Remove spurious _H suffixes from ifdef comments  
Paul Bolle 已提交
122 
#endif /* CONFIG_IMA */
M
ima: add inode_post_setattr call  
Mimi Zohar 已提交
123
M
ima: on soft reboot, save the measurement list  
Mimi Zohar 已提交
124 125 126 127 128 129 130 
#ifndef CONFIG_IMA_KEXEC
struct kimage;

static inline void ima_add_kexec_buffer(struct kimage *image)
{}
#endif
L
IMA: fix measuring asymmetric keys Kconfig  
Lakshmi Ramasubramanian 已提交
131 
#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
L
KEYS: Call the IMA hook to measure keys  
Lakshmi Ramasubramanian 已提交
132 133 134 135 136 137 138 139 140 141 142 
extern void ima_post_key_create_or_update(struct key *keyring,
					  struct key *key,
					  const void *payload, size_t plen,
					  unsigned long flags, bool create);
#else
static inline void ima_post_key_create_or_update(struct key *keyring,
						 struct key *key,
						 const void *payload,
						 size_t plen,
						 unsigned long flags,
						 bool create) {}
L
IMA: fix measuring asymmetric keys Kconfig  
Lakshmi Ramasubramanian 已提交
143 
#endif  /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */
L
KEYS: Call the IMA hook to measure keys  
Lakshmi Ramasubramanian 已提交
144
M
ima: add inode_post_setattr call  
Mimi Zohar 已提交
145 
#ifdef CONFIG_IMA_APPRAISE
M
ima: define is_ima_appraise_enabled()  
Mimi Zohar 已提交
146 
extern bool is_ima_appraise_enabled(void);
M
ima: add inode_post_setattr call  
Mimi Zohar 已提交
147 
extern void ima_inode_post_setattr(struct dentry *dentry);
M
ima: add ima_inode_setxattr/removexattr function and calls  
Mimi Zohar 已提交
148 149 
extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
		       const void *xattr_value, size_t xattr_value_len);
R
ima: Move ima_reset_appraise_flags() call to post hooks  
Roberto Sassu 已提交
150 151 152 153 
extern void ima_inode_post_setxattr(struct dentry *dentry,
				    const char *xattr_name,
				    const void *xattr_value,
				    size_t xattr_value_len);
M
ima: add ima_inode_setxattr/removexattr function and calls  
Mimi Zohar 已提交
154 
extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name);
R
ima: Move ima_reset_appraise_flags() call to post hooks  
Roberto Sassu 已提交
155 156 
extern void ima_inode_post_removexattr(struct dentry *dentry,
				       const char *xattr_name);
M
ima: add inode_post_setattr call  
Mimi Zohar 已提交
157 
#else
M
ima: define is_ima_appraise_enabled()  
Mimi Zohar 已提交
158 159 160 161 162 
static inline bool is_ima_appraise_enabled(void)
{
	return 0;
}
M
ima: add inode_post_setattr call  
Mimi Zohar 已提交
163 164 165 166 
static inline void ima_inode_post_setattr(struct dentry *dentry)
{
	return;
}
M
ima: add ima_inode_setxattr/removexattr function and calls  
Mimi Zohar 已提交
167 168 169 170 171 172 173 174 175 

static inline int ima_inode_setxattr(struct dentry *dentry,
				     const char *xattr_name,
				     const void *xattr_value,
				     size_t xattr_value_len)
{
	return 0;
}
R
ima: Move ima_reset_appraise_flags() call to post hooks  
Roberto Sassu 已提交
176 177 178 179 180 181 182 
static inline void ima_inode_post_setxattr(struct dentry *dentry,
					   const char *xattr_name,
					   const void *xattr_value,
					   size_t xattr_value_len)
{
}
M
ima: add ima_inode_setxattr/removexattr function and calls  
Mimi Zohar 已提交
183 184 185 186 187 
static inline int ima_inode_removexattr(struct dentry *dentry,
					const char *xattr_name)
{
	return 0;
}
R
ima: Move ima_reset_appraise_flags() call to post hooks  
Roberto Sassu 已提交
188 189 190 191 192 

static inline void ima_inode_post_removexattr(struct dentry *dentry,
					      const char *xattr_name)
{
}
P
Remove spurious _H suffixes from ifdef comments  
Paul Bolle 已提交
193 
#endif /* CONFIG_IMA_APPRAISE */
M
kexec: Allow kexec_file() with appropriate IMA policy when locked down  
Matthew Garrett 已提交
194 195 196 197 198 199 200 201 202 

#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
extern bool ima_appraise_signature(enum kernel_read_file_id func);
#else
static inline bool ima_appraise_signature(enum kernel_read_file_id func)
{
	return false;
}
#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
K
ima: Introduce ima namespace  
Krzysztof Struczynski 已提交
203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 

struct ima_namespace {
	struct kref kref;
	struct ns_common ns;
	struct ucounts *ucounts;
	struct user_namespace *user_ns;
} __randomize_layout;

extern struct ima_namespace init_ima_ns;

#ifdef CONFIG_IMA_NS
struct ima_namespace *copy_ima_ns(unsigned long flags,
				  struct user_namespace *user_ns,
				  struct ima_namespace *old_ns);

void free_ima_ns(struct kref *kref);

int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk);

static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns)
{
	if (ns)
		kref_get(&ns->kref);
	return ns;
}
static inline void put_ima_ns(struct ima_namespace *ns)
{
	if (ns)
		kref_put(&ns->kref, free_ima_ns);
}

#else
static inline struct ima_namespace *copy_ima_ns(unsigned long flags,
						struct user_namespace *user_ns,
						struct ima_namespace *old_ns)
{
	return old_ns;
}

static inline int imans_on_fork(struct nsproxy *nsproxy,
				struct task_struct *tsk)
{
	return 0;
}

static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns)
{
	return ns;
}

static inline void put_ima_ns(struct ima_namespace *ns)
{
}
#endif /* CONFIG_IMA_NS */
M
integrity: IMA hooks  
Mimi Zohar 已提交
257 
#endif /* _LINUX_IMA_H */