提交 6c21a7fb 编写于 作者: M Mimi Zohar 提交者: James Morris

LSM: imbed ima calls in the security hooks

Based on discussions on LKML and LSM, where there are consecutive
security_ and ima_ calls in the vfs layer, move the ima_ calls to
the existing security_ hooks.
Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
Signed-off-by: NJames Morris <jmorris@namei.org>
上级 6e8e16c7
...@@ -46,7 +46,6 @@ ...@@ -46,7 +46,6 @@
#include <linux/proc_fs.h> #include <linux/proc_fs.h>
#include <linux/mount.h> #include <linux/mount.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/tsacct_kern.h> #include <linux/tsacct_kern.h>
#include <linux/cn_proc.h> #include <linux/cn_proc.h>
...@@ -1209,9 +1208,6 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) ...@@ -1209,9 +1208,6 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
struct linux_binfmt *fmt; struct linux_binfmt *fmt;
retval = security_bprm_check(bprm); retval = security_bprm_check(bprm);
if (retval)
return retval;
retval = ima_bprm_check(bprm);
if (retval) if (retval)
return retval; return retval;
......
...@@ -13,7 +13,6 @@ ...@@ -13,7 +13,6 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/eventpoll.h> #include <linux/eventpoll.h>
#include <linux/rcupdate.h> #include <linux/rcupdate.h>
#include <linux/mount.h> #include <linux/mount.h>
...@@ -280,7 +279,6 @@ void __fput(struct file *file) ...@@ -280,7 +279,6 @@ void __fput(struct file *file)
if (file->f_op && file->f_op->release) if (file->f_op && file->f_op->release)
file->f_op->release(inode, file); file->f_op->release(inode, file);
security_file_free(file); security_file_free(file);
ima_file_free(file);
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL)) if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
cdev_put(inode->i_cdev); cdev_put(inode->i_cdev);
fops_put(file->f_op); fops_put(file->f_op);
......
...@@ -18,7 +18,6 @@ ...@@ -18,7 +18,6 @@
#include <linux/hash.h> #include <linux/hash.h>
#include <linux/swap.h> #include <linux/swap.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/pagemap.h> #include <linux/pagemap.h>
#include <linux/cdev.h> #include <linux/cdev.h>
#include <linux/bootmem.h> #include <linux/bootmem.h>
...@@ -157,11 +156,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode) ...@@ -157,11 +156,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
if (security_inode_alloc(inode)) if (security_inode_alloc(inode))
goto out; goto out;
/* allocate and initialize an i_integrity */
if (ima_inode_alloc(inode))
goto out_free_security;
spin_lock_init(&inode->i_lock); spin_lock_init(&inode->i_lock);
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
...@@ -201,9 +195,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode) ...@@ -201,9 +195,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
#endif #endif
return 0; return 0;
out_free_security:
security_inode_free(inode);
out: out:
return -ENOMEM; return -ENOMEM;
} }
...@@ -235,7 +226,6 @@ static struct inode *alloc_inode(struct super_block *sb) ...@@ -235,7 +226,6 @@ static struct inode *alloc_inode(struct super_block *sb)
void __destroy_inode(struct inode *inode) void __destroy_inode(struct inode *inode)
{ {
BUG_ON(inode_has_buffers(inode)); BUG_ON(inode_has_buffers(inode));
ima_inode_free(inode);
security_inode_free(inode); security_inode_free(inode);
fsnotify_inode_delete(inode); fsnotify_inode_delete(inode);
#ifdef CONFIG_FS_POSIX_ACL #ifdef CONFIG_FS_POSIX_ACL
......
...@@ -20,7 +20,6 @@ ...@@ -20,7 +20,6 @@
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/personality.h> #include <linux/personality.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/hugetlb.h> #include <linux/hugetlb.h>
#include <linux/profile.h> #include <linux/profile.h>
#include <linux/module.h> #include <linux/module.h>
...@@ -1059,9 +1058,6 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, ...@@ -1059,9 +1058,6 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
} }
error = security_file_mmap(file, reqprot, prot, flags, addr, 0); error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
if (error)
return error;
error = ima_file_mmap(file, prot);
if (error) if (error)
return error; return error;
......
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
config IMA config IMA
bool "Integrity Measurement Architecture(IMA)" bool "Integrity Measurement Architecture(IMA)"
depends on ACPI depends on ACPI
depends on SECURITY
select SECURITYFS select SECURITYFS
select CRYPTO select CRYPTO
select CRYPTO_HMAC select CRYPTO_HMAC
......
...@@ -16,6 +16,7 @@ ...@@ -16,6 +16,7 @@
#include <linux/init.h> #include <linux/init.h>
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
/* Boot-time LSM user choice */ /* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
...@@ -235,7 +236,12 @@ int security_bprm_set_creds(struct linux_binprm *bprm) ...@@ -235,7 +236,12 @@ int security_bprm_set_creds(struct linux_binprm *bprm)
int security_bprm_check(struct linux_binprm *bprm) int security_bprm_check(struct linux_binprm *bprm)
{ {
return security_ops->bprm_check_security(bprm); int ret;
ret = security_ops->bprm_check_security(bprm);
if (ret)
return ret;
return ima_bprm_check(bprm);
} }
void security_bprm_committing_creds(struct linux_binprm *bprm) void security_bprm_committing_creds(struct linux_binprm *bprm)
...@@ -352,12 +358,21 @@ EXPORT_SYMBOL(security_sb_parse_opts_str); ...@@ -352,12 +358,21 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode) int security_inode_alloc(struct inode *inode)
{ {
int ret;
inode->i_security = NULL; inode->i_security = NULL;
return security_ops->inode_alloc_security(inode); ret = security_ops->inode_alloc_security(inode);
if (ret)
return ret;
ret = ima_inode_alloc(inode);
if (ret)
security_inode_free(inode);
return ret;
} }
void security_inode_free(struct inode *inode) void security_inode_free(struct inode *inode)
{ {
ima_inode_free(inode);
security_ops->inode_free_security(inode); security_ops->inode_free_security(inode);
} }
...@@ -648,6 +663,8 @@ int security_file_alloc(struct file *file) ...@@ -648,6 +663,8 @@ int security_file_alloc(struct file *file)
void security_file_free(struct file *file) void security_file_free(struct file *file)
{ {
security_ops->file_free_security(file); security_ops->file_free_security(file);
if (file->f_dentry)
ima_file_free(file);
} }
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
...@@ -659,7 +676,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot, ...@@ -659,7 +676,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags, unsigned long prot, unsigned long flags,
unsigned long addr, unsigned long addr_only) unsigned long addr, unsigned long addr_only)
{ {
return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only); int ret;
ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
if (ret)
return ret;
return ima_file_mmap(file, prot);
} }
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册