commit 1e93d0052d9a6b3d0b382eedceb18b519d603baf · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

ima: rename PATH_CHECK to FILE_CHECK

With the movement of the ima hooks functions were renamed from *path* to
*file* since they always deal with struct file. This patch renames some of
the ima internal flags to make them consistent with the rest of the code.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

authored by Mimi Zohar and committed by Al Viro 16 years ago 1e93d005 9bbb6cad

+17 -14

5 changed files

expand all

unified split

Documentation

ABI

testing

ima_policy

security

integrity

ima

ima.h

ima_api.c

ima_main.c

ima_policy.c

+6 -6

Documentation/ABI/testing/ima_policy

··· 20 20 lsm: [[subj_user=] [subj_role=] [subj_type=] 21 21 [obj_user=] [obj_role=] [obj_type=]] 22 22 23 - base: func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION] 23 + base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK] 24 24 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] 25 25 fsmagic:= hex value 26 26 uid:= decimal value ··· 40 40 41 41 measure func=BPRM_CHECK 42 42 measure func=FILE_MMAP mask=MAY_EXEC 43 - measure func=INODE_PERM mask=MAY_READ uid=0 43 + measure func=FILE_CHECK mask=MAY_READ uid=0 44 44 45 45 The default policy measures all executables in bprm_check, 46 46 all files mmapped executable in file_mmap, and all files 47 - open for read by root in inode_permission. 47 + open for read by root in do_filp_open. 48 48 49 49 Examples of LSM specific definitions: 50 50 ··· 54 54 55 55 dont_measure obj_type=var_log_t 56 56 dont_measure obj_type=auditd_log_t 57 - measure subj_user=system_u func=INODE_PERM mask=MAY_READ 58 - measure subj_role=system_r func=INODE_PERM mask=MAY_READ 57 + measure subj_user=system_u func=FILE_CHECK mask=MAY_READ 58 + measure subj_role=system_r func=FILE_CHECK mask=MAY_READ 59 59 60 60 Smack: 61 - measure subj_user=_ func=INODE_PERM mask=MAY_READ 61 + measure subj_user=_ func=FILE_CHECK mask=MAY_READ

+1 -1

security/integrity/ima/ima.h

··· 130 130 void iint_rcu_free(struct rcu_head *rcu); 131 131 132 132 /* IMA policy related functions */ 133 - enum ima_hooks { PATH_CHECK = 1, FILE_MMAP, BPRM_CHECK }; 133 + enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK }; 134 134 135 135 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask); 136 136 void ima_init_policy(void);

+2 -2

security/integrity/ima/ima_api.c

··· 95 95 * ima_must_measure - measure decision based on policy. 96 96 * @inode: pointer to inode to measure 97 97 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) 98 - * @function: calling function (PATH_CHECK, BPRM_CHECK, FILE_MMAP) 98 + * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP) 99 99 * 100 100 * The policy is defined in terms of keypairs: 101 101 * subj=, obj=, type=, func=, mask=, fsmagic= 102 102 * subj,obj, and type: are LSM specific. 103 - * func: PATH_CHECK | BPRM_CHECK | FILE_MMAP 103 + * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP 104 104 * mask: contains the permission mask 105 105 * fsmagic: hex value 106 106 *

+2 -2

security/integrity/ima/ima_main.c

··· 153 153 if (!iint) 154 154 return; 155 155 mutex_lock(&iint->mutex); 156 - rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); 156 + rc = ima_must_measure(iint, inode, MAY_READ, FILE_CHECK); 157 157 if (rc < 0) 158 158 goto out; 159 159 ··· 312 312 313 313 rc = process_measurement(file, file->f_dentry->d_name.name, 314 314 mask & (MAY_READ | MAY_WRITE | MAY_EXEC), 315 - PATH_CHECK); 315 + FILE_CHECK); 316 316 return 0; 317 317 } 318 318 EXPORT_SYMBOL_GPL(ima_file_check);

+6 -3

security/integrity/ima/ima_policy.c

··· 67 67 .flags = IMA_FUNC | IMA_MASK}, 68 68 {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, 69 69 .flags = IMA_FUNC | IMA_MASK}, 70 - {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0, 70 + {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0, 71 71 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 72 72 }; 73 73 ··· 282 282 break; 283 283 case Opt_func: 284 284 audit_log_format(ab, "func=%s ", args[0].from); 285 - if (strcmp(args[0].from, "PATH_CHECK") == 0) 286 - entry->func = PATH_CHECK; 285 + if (strcmp(args[0].from, "FILE_CHECK") == 0) 286 + entry->func = FILE_CHECK; 287 + /* PATH_CHECK is for backwards compat */ 288 + else if (strcmp(args[0].from, "PATH_CHECK") == 0) 289 + entry->func = FILE_CHECK; 287 290 else if (strcmp(args[0].from, "FILE_MMAP") == 0) 288 291 entry->func = FILE_MMAP; 289 292 else if (strcmp(args[0].from, "BPRM_CHECK") == 0)