提交 0c343af8 编写于 作者: M Matthew Garrett 提交者: Mimi Zohar

integrity: Add an integrity directory in securityfs

We want to add additional evm control nodes, and it'd be preferable not
to clutter up the securityfs root directory any further. Create a new
integrity directory, move the ima directory into it, create an evm
directory for the evm attribute and add compatibility symlinks.
Signed-off-by: NMatthew Garrett <mjg59@google.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
上级 4ecd9934
...@@ -19,7 +19,9 @@ ...@@ -19,7 +19,9 @@
#include <linux/module.h> #include <linux/module.h>
#include "evm.h" #include "evm.h"
static struct dentry *evm_dir;
static struct dentry *evm_init_tpm; static struct dentry *evm_init_tpm;
static struct dentry *evm_symlink;
/** /**
* evm_read_key - read() for <securityfs>/evm * evm_read_key - read() for <securityfs>/evm
...@@ -111,9 +113,28 @@ int __init evm_init_secfs(void) ...@@ -111,9 +113,28 @@ int __init evm_init_secfs(void)
{ {
int error = 0; int error = 0;
evm_init_tpm = securityfs_create_file("evm", S_IRUSR | S_IRGRP, evm_dir = securityfs_create_dir("evm", integrity_dir);
NULL, NULL, &evm_key_ops); if (!evm_dir || IS_ERR(evm_dir))
if (!evm_init_tpm || IS_ERR(evm_init_tpm)) return -EFAULT;
evm_init_tpm = securityfs_create_file("evm", 0660,
evm_dir, NULL, &evm_key_ops);
if (!evm_init_tpm || IS_ERR(evm_init_tpm)) {
error = -EFAULT;
goto out;
}
evm_symlink = securityfs_create_symlink("evm", NULL,
"integrity/evm/evm", NULL);
if (!evm_symlink || IS_ERR(evm_symlink)) {
error = -EFAULT; error = -EFAULT;
goto out;
}
return 0;
out:
securityfs_remove(evm_symlink);
securityfs_remove(evm_init_tpm);
securityfs_remove(evm_dir);
return error; return error;
} }
...@@ -21,12 +21,15 @@ ...@@ -21,12 +21,15 @@
#include <linux/rbtree.h> #include <linux/rbtree.h>
#include <linux/file.h> #include <linux/file.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
#include <linux/security.h>
#include "integrity.h" #include "integrity.h"
static struct rb_root integrity_iint_tree = RB_ROOT; static struct rb_root integrity_iint_tree = RB_ROOT;
static DEFINE_RWLOCK(integrity_iint_lock); static DEFINE_RWLOCK(integrity_iint_lock);
static struct kmem_cache *iint_cache __read_mostly; static struct kmem_cache *iint_cache __read_mostly;
struct dentry *integrity_dir;
/* /*
* __integrity_iint_find - return the iint associated with an inode * __integrity_iint_find - return the iint associated with an inode
*/ */
...@@ -211,3 +214,18 @@ void __init integrity_load_keys(void) ...@@ -211,3 +214,18 @@ void __init integrity_load_keys(void)
ima_load_x509(); ima_load_x509();
evm_load_x509(); evm_load_x509();
} }
static int __init integrity_fs_init(void)
{
integrity_dir = securityfs_create_dir("integrity", NULL);
if (IS_ERR(integrity_dir)) {
pr_err("Unable to create integrity sysfs dir: %ld\n",
PTR_ERR(integrity_dir));
integrity_dir = NULL;
return PTR_ERR(integrity_dir);
}
return 0;
}
late_initcall(integrity_fs_init)
...@@ -359,6 +359,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, ...@@ -359,6 +359,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
} }
static struct dentry *ima_dir; static struct dentry *ima_dir;
static struct dentry *ima_symlink;
static struct dentry *binary_runtime_measurements; static struct dentry *binary_runtime_measurements;
static struct dentry *ascii_runtime_measurements; static struct dentry *ascii_runtime_measurements;
static struct dentry *runtime_measurements_count; static struct dentry *runtime_measurements_count;
...@@ -453,10 +454,15 @@ static const struct file_operations ima_measure_policy_ops = { ...@@ -453,10 +454,15 @@ static const struct file_operations ima_measure_policy_ops = {
int __init ima_fs_init(void) int __init ima_fs_init(void)
{ {
ima_dir = securityfs_create_dir("ima", NULL); ima_dir = securityfs_create_dir("ima", integrity_dir);
if (IS_ERR(ima_dir)) if (IS_ERR(ima_dir))
return -1; return -1;
ima_symlink = securityfs_create_symlink("ima", NULL, "integrity/ima",
NULL);
if (IS_ERR(ima_symlink))
goto out;
binary_runtime_measurements = binary_runtime_measurements =
securityfs_create_file("binary_runtime_measurements", securityfs_create_file("binary_runtime_measurements",
S_IRUSR | S_IRGRP, ima_dir, NULL, S_IRUSR | S_IRGRP, ima_dir, NULL,
...@@ -496,6 +502,7 @@ int __init ima_fs_init(void) ...@@ -496,6 +502,7 @@ int __init ima_fs_init(void)
securityfs_remove(runtime_measurements_count); securityfs_remove(runtime_measurements_count);
securityfs_remove(ascii_runtime_measurements); securityfs_remove(ascii_runtime_measurements);
securityfs_remove(binary_runtime_measurements); securityfs_remove(binary_runtime_measurements);
securityfs_remove(ima_symlink);
securityfs_remove(ima_dir); securityfs_remove(ima_dir);
securityfs_remove(ima_policy); securityfs_remove(ima_policy);
return -1; return -1;
......
...@@ -143,6 +143,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, ...@@ -143,6 +143,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
#define INTEGRITY_KEYRING_MODULE 2 #define INTEGRITY_KEYRING_MODULE 2
#define INTEGRITY_KEYRING_MAX 3 #define INTEGRITY_KEYRING_MAX 3
extern struct dentry *integrity_dir;
#ifdef CONFIG_INTEGRITY_SIGNATURE #ifdef CONFIG_INTEGRITY_SIGNATURE
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册