Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
Take ima_file_free() to proper place.
ima: rename PATH_CHECK to FILE_CHECK
ima: rename ima_path_check to ima_file_check
ima: initialize ima before inodes can be allocated
fix ima breakage
Take ima_path_check() in nfsd past dentry_open() in nfsd_open()
freeze_bdev: don't deactivate successfully frozen MS_RDONLY sb
befs: fix leak
+6
-6
Documentation/ABI/testing/ima_policy
+6
-6
Documentation/ABI/testing/ima_policy
···
20
lsm: [[subj_user=] [subj_role=] [subj_type=]
21
[obj_user=] [obj_role=] [obj_type=]]
22
23
-
base: func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION]
24
mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
25
fsmagic:= hex value
26
uid:= decimal value
···
40
41
measure func=BPRM_CHECK
42
measure func=FILE_MMAP mask=MAY_EXEC
43
-
measure func=INODE_PERM mask=MAY_READ uid=0
44
45
The default policy measures all executables in bprm_check,
46
all files mmapped executable in file_mmap, and all files
47
-
open for read by root in inode_permission.
48
49
Examples of LSM specific definitions:
50
···
54
55
dont_measure obj_type=var_log_t
56
dont_measure obj_type=auditd_log_t
57
-
measure subj_user=system_u func=INODE_PERM mask=MAY_READ
58
-
measure subj_role=system_r func=INODE_PERM mask=MAY_READ
59
60
Smack:
61
-
measure subj_user=_ func=INODE_PERM mask=MAY_READ
···
20
lsm: [[subj_user=] [subj_role=] [subj_type=]
21
[obj_user=] [obj_role=] [obj_type=]]
22
23
+
base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK]
24
mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
25
fsmagic:= hex value
26
uid:= decimal value
···
40
41
measure func=BPRM_CHECK
42
measure func=FILE_MMAP mask=MAY_EXEC
43
+
measure func=FILE_CHECK mask=MAY_READ uid=0
44
45
The default policy measures all executables in bprm_check,
46
all files mmapped executable in file_mmap, and all files
47
+
open for read by root in do_filp_open.
48
49
Examples of LSM specific definitions:
50
···
54
55
dont_measure obj_type=var_log_t
56
dont_measure obj_type=auditd_log_t
57
+
measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
58
+
measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
59
60
Smack:
61
+
measure subj_user=_ func=FILE_CHECK mask=MAY_READ
+1
fs/befs/linuxvfs.c
+1
fs/befs/linuxvfs.c
+4
-3
fs/block_dev.c
+4
-3
fs/block_dev.c
···
246
if (!sb)
247
goto out;
248
if (sb->s_flags & MS_RDONLY) {
249
-
deactivate_locked_super(sb);
250
mutex_unlock(&bdev->bd_fsfreeze_mutex);
251
return sb;
252
}
···
308
BUG_ON(sb->s_bdev != bdev);
309
down_write(&sb->s_umount);
310
if (sb->s_flags & MS_RDONLY)
311
-
goto out_deactivate;
312
313
if (sb->s_op->unfreeze_fs) {
314
error = sb->s_op->unfreeze_fs(sb);
···
322
}
323
}
324
325
sb->s_frozen = SB_UNFROZEN;
326
smp_wmb();
327
wake_up(&sb->s_wait_unfrozen);
328
329
-
out_deactivate:
330
if (sb)
331
deactivate_locked_super(sb);
332
out_unlock:
···
246
if (!sb)
247
goto out;
248
if (sb->s_flags & MS_RDONLY) {
249
+
sb->s_frozen = SB_FREEZE_TRANS;
250
+
up_write(&sb->s_umount);
251
mutex_unlock(&bdev->bd_fsfreeze_mutex);
252
return sb;
253
}
···
307
BUG_ON(sb->s_bdev != bdev);
308
down_write(&sb->s_umount);
309
if (sb->s_flags & MS_RDONLY)
310
+
goto out_unfrozen;
311
312
if (sb->s_op->unfreeze_fs) {
313
error = sb->s_op->unfreeze_fs(sb);
···
321
}
322
}
323
324
+
out_unfrozen:
325
sb->s_frozen = SB_UNFROZEN;
326
smp_wmb();
327
wake_up(&sb->s_wait_unfrozen);
328
329
if (sb)
330
deactivate_locked_super(sb);
331
out_unlock:
+1
fs/file_table.c
+1
fs/file_table.c
+2
-4
fs/namei.c
+2
-4
fs/namei.c
···
1736
if (nd.root.mnt)
1737
path_put(&nd.root);
1738
if (!IS_ERR(filp)) {
1739
-
error = ima_path_check(&filp->f_path, filp->f_mode &
1740
-
(MAY_READ | MAY_WRITE | MAY_EXEC));
1741
if (error) {
1742
fput(filp);
1743
filp = ERR_PTR(error);
···
1796
}
1797
filp = nameidata_to_filp(&nd);
1798
if (!IS_ERR(filp)) {
1799
-
error = ima_path_check(&filp->f_path, filp->f_mode &
1800
-
(MAY_READ | MAY_WRITE | MAY_EXEC));
1801
if (error) {
1802
fput(filp);
1803
filp = ERR_PTR(error);
···
1736
if (nd.root.mnt)
1737
path_put(&nd.root);
1738
if (!IS_ERR(filp)) {
1739
+
error = ima_file_check(filp, acc_mode);
1740
if (error) {
1741
fput(filp);
1742
filp = ERR_PTR(error);
···
1797
}
1798
filp = nameidata_to_filp(&nd);
1799
if (!IS_ERR(filp)) {
1800
+
error = ima_file_check(filp, acc_mode);
1801
if (error) {
1802
fput(filp);
1803
filp = ERR_PTR(error);
+1
-1
fs/nfsd/vfs.c
+1
-1
fs/nfsd/vfs.c
···
752
flags, current_cred());
753
if (IS_ERR(*filp))
754
host_err = PTR_ERR(*filp);
755
out_nfserr:
756
err = nfserrno(host_err);
757
out:
···
2128
*/
2129
path.mnt = exp->ex_path.mnt;
2130
path.dentry = dentry;
2131
-
err = ima_path_check(&path, acc & (MAY_READ | MAY_WRITE | MAY_EXEC));
2132
nfsd_out:
2133
return err? nfserrno(err) : 0;
2134
}
···
752
flags, current_cred());
753
if (IS_ERR(*filp))
754
host_err = PTR_ERR(*filp);
755
+
host_err = ima_file_check(*filp, access);
756
out_nfserr:
757
err = nfserrno(host_err);
758
out:
···
2127
*/
2128
path.mnt = exp->ex_path.mnt;
2129
path.dentry = dentry;
2130
nfsd_out:
2131
return err? nfserrno(err) : 0;
2132
}
+2
-2
include/linux/ima.h
+2
-2
include/linux/ima.h
···
17
extern int ima_bprm_check(struct linux_binprm *bprm);
18
extern int ima_inode_alloc(struct inode *inode);
19
extern void ima_inode_free(struct inode *inode);
20
-
extern int ima_path_check(struct path *path, int mask);
21
extern void ima_file_free(struct file *file);
22
extern int ima_file_mmap(struct file *file, unsigned long prot);
23
extern void ima_counts_get(struct file *file);
···
38
return;
39
}
40
41
-
static inline int ima_path_check(struct path *path, int mask)
42
{
43
return 0;
44
}
···
17
extern int ima_bprm_check(struct linux_binprm *bprm);
18
extern int ima_inode_alloc(struct inode *inode);
19
extern void ima_inode_free(struct inode *inode);
20
+
extern int ima_file_check(struct file *file, int mask);
21
extern void ima_file_free(struct file *file);
22
extern int ima_file_mmap(struct file *file, unsigned long prot);
23
extern void ima_counts_get(struct file *file);
···
38
return;
39
}
40
41
+
static inline int ima_file_check(struct file *file, int mask)
42
{
43
return 0;
44
}
+1
-1
init/main.c
+1
-1
init/main.c
+1
-2
security/integrity/ima/ima.h
+1
-2
security/integrity/ima/ima.h
···
65
const char *cause, int result, int info);
66
67
/* Internal IMA function definitions */
68
-
void ima_iintcache_init(void);
69
int ima_init(void);
70
void ima_cleanup(void);
71
int ima_fs_init(void);
···
130
void iint_rcu_free(struct rcu_head *rcu);
131
132
/* IMA policy related functions */
133
-
enum ima_hooks { PATH_CHECK = 1, FILE_MMAP, BPRM_CHECK };
134
135
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask);
136
void ima_init_policy(void);
···
65
const char *cause, int result, int info);
66
67
/* Internal IMA function definitions */
68
int ima_init(void);
69
void ima_cleanup(void);
70
int ima_fs_init(void);
···
131
void iint_rcu_free(struct rcu_head *rcu);
132
133
/* IMA policy related functions */
134
+
enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK };
135
136
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask);
137
void ima_init_policy(void);
+2
-2
security/integrity/ima/ima_api.c
+2
-2
security/integrity/ima/ima_api.c
···
95
* ima_must_measure - measure decision based on policy.
96
* @inode: pointer to inode to measure
97
* @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
98
-
* @function: calling function (PATH_CHECK, BPRM_CHECK, FILE_MMAP)
99
*
100
* The policy is defined in terms of keypairs:
101
* subj=, obj=, type=, func=, mask=, fsmagic=
102
* subj,obj, and type: are LSM specific.
103
-
* func: PATH_CHECK | BPRM_CHECK | FILE_MMAP
104
* mask: contains the permission mask
105
* fsmagic: hex value
106
*
···
95
* ima_must_measure - measure decision based on policy.
96
* @inode: pointer to inode to measure
97
* @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
98
+
* @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP)
99
*
100
* The policy is defined in terms of keypairs:
101
* subj=, obj=, type=, func=, mask=, fsmagic=
102
* subj,obj, and type: are LSM specific.
103
+
* func: FILE_CHECK | BPRM_CHECK | FILE_MMAP
104
* mask: contains the permission mask
105
* fsmagic: hex value
106
*
+3
-6
security/integrity/ima/ima_iint.c
+3
-6
security/integrity/ima/ima_iint.c
···
52
struct ima_iint_cache *iint = NULL;
53
int rc = 0;
54
55
-
if (!ima_initialized)
56
-
return 0;
57
-
58
iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
59
if (!iint)
60
return -ENOMEM;
···
115
{
116
struct ima_iint_cache *iint;
117
118
-
if (!ima_initialized)
119
-
return;
120
spin_lock(&ima_iint_lock);
121
iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode);
122
spin_unlock(&ima_iint_lock);
···
136
kref_set(&iint->refcount, 1);
137
}
138
139
-
void __init ima_iintcache_init(void)
140
{
141
iint_cache =
142
kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
143
SLAB_PANIC, init_once);
144
}
···
52
struct ima_iint_cache *iint = NULL;
53
int rc = 0;
54
55
iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
56
if (!iint)
57
return -ENOMEM;
···
118
{
119
struct ima_iint_cache *iint;
120
121
spin_lock(&ima_iint_lock);
122
iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode);
123
spin_unlock(&ima_iint_lock);
···
141
kref_set(&iint->refcount, 1);
142
}
143
144
+
static int __init ima_iintcache_init(void)
145
{
146
iint_cache =
147
kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
148
SLAB_PANIC, init_once);
149
+
return 0;
150
}
151
+
security_initcall(ima_iintcache_init);
+93
-146
security/integrity/ima/ima_main.c
+93
-146
security/integrity/ima/ima_main.c
···
14
*
15
* File: ima_main.c
16
* implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17
-
* and ima_path_check.
18
*/
19
#include <linux/module.h>
20
#include <linux/file.h>
···
84
return found;
85
}
86
87
/*
88
* Update the counts given an fmode_t
89
*/
···
126
iint->readcount++;
127
if (mode & FMODE_WRITE)
128
iint->writecount++;
129
}
130
131
/*
···
224
kref_put(&iint->refcount, iint_free);
225
}
226
227
-
/* ima_read_write_check - reflect possible reading/writing errors in the PCR.
228
-
*
229
-
* When opening a file for read, if the file is already open for write,
230
-
* the file could change, resulting in a file measurement error.
231
-
*
232
-
* Opening a file for write, if the file is already open for read, results
233
-
* in a time of measure, time of use (ToMToU) error.
234
-
*
235
-
* In either case invalidate the PCR.
236
-
*/
237
-
enum iint_pcr_error { TOMTOU, OPEN_WRITERS };
238
-
static void ima_read_write_check(enum iint_pcr_error error,
239
-
struct ima_iint_cache *iint,
240
-
struct inode *inode,
241
-
const unsigned char *filename)
242
-
{
243
-
switch (error) {
244
-
case TOMTOU:
245
-
if (iint->readcount > 0)
246
-
ima_add_violation(inode, filename, "invalid_pcr",
247
-
"ToMToU");
248
-
break;
249
-
case OPEN_WRITERS:
250
-
if (iint->writecount > 0)
251
-
ima_add_violation(inode, filename, "invalid_pcr",
252
-
"open_writers");
253
-
break;
254
-
}
255
-
}
256
-
257
-
static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
258
-
const unsigned char *filename)
259
-
{
260
-
int rc = 0;
261
-
262
-
ima_inc_counts(iint, file->f_mode);
263
-
264
-
rc = ima_collect_measurement(iint, file);
265
-
if (!rc)
266
-
ima_store_measurement(iint, file, filename);
267
-
return rc;
268
-
}
269
-
270
-
/**
271
-
* ima_path_check - based on policy, collect/store measurement.
272
-
* @path: contains a pointer to the path to be measured
273
-
* @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
274
-
*
275
-
* Measure the file being open for readonly, based on the
276
-
* ima_must_measure() policy decision.
277
-
*
278
-
* Keep read/write counters for all files, but only
279
-
* invalidate the PCR for measured files:
280
-
* - Opening a file for write when already open for read,
281
-
* results in a time of measure, time of use (ToMToU) error.
282
-
* - Opening a file for read when already open for write,
283
-
* could result in a file measurement error.
284
-
*
285
-
* Always return 0 and audit dentry_open failures.
286
-
* (Return code will be based upon measurement appraisal.)
287
-
*/
288
-
int ima_path_check(struct path *path, int mask)
289
-
{
290
-
struct inode *inode = path->dentry->d_inode;
291
-
struct ima_iint_cache *iint;
292
-
struct file *file = NULL;
293
-
int rc;
294
-
295
-
if (!ima_initialized || !S_ISREG(inode->i_mode))
296
-
return 0;
297
-
iint = ima_iint_find_get(inode);
298
-
if (!iint)
299
-
return 0;
300
-
301
-
mutex_lock(&iint->mutex);
302
-
303
-
rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
304
-
if (rc < 0)
305
-
goto out;
306
-
307
-
if ((mask & MAY_WRITE) || (mask == 0))
308
-
ima_read_write_check(TOMTOU, iint, inode,
309
-
path->dentry->d_name.name);
310
-
311
-
if ((mask & (MAY_WRITE | MAY_READ | MAY_EXEC)) != MAY_READ)
312
-
goto out;
313
-
314
-
ima_read_write_check(OPEN_WRITERS, iint, inode,
315
-
path->dentry->d_name.name);
316
-
if (!(iint->flags & IMA_MEASURED)) {
317
-
struct dentry *dentry = dget(path->dentry);
318
-
struct vfsmount *mnt = mntget(path->mnt);
319
-
320
-
file = dentry_open(dentry, mnt, O_RDONLY | O_LARGEFILE,
321
-
current_cred());
322
-
if (IS_ERR(file)) {
323
-
int audit_info = 0;
324
-
325
-
integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
326
-
dentry->d_name.name,
327
-
"add_measurement",
328
-
"dentry_open failed",
329
-
1, audit_info);
330
-
file = NULL;
331
-
goto out;
332
-
}
333
-
rc = get_path_measurement(iint, file, dentry->d_name.name);
334
-
}
335
-
out:
336
-
mutex_unlock(&iint->mutex);
337
-
if (file)
338
-
fput(file);
339
-
kref_put(&iint->refcount, iint_free);
340
-
return 0;
341
-
}
342
-
EXPORT_SYMBOL_GPL(ima_path_check);
343
-
344
static int process_measurement(struct file *file, const unsigned char *filename,
345
int mask, int function)
346
{
···
250
kref_put(&iint->refcount, iint_free);
251
return rc;
252
}
253
-
254
-
/*
255
-
* ima_counts_get - increment file counts
256
-
*
257
-
* - for IPC shm and shmat file.
258
-
* - for nfsd exported files.
259
-
*
260
-
* Increment the counts for these files to prevent unnecessary
261
-
* imbalance messages.
262
-
*/
263
-
void ima_counts_get(struct file *file)
264
-
{
265
-
struct inode *inode = file->f_dentry->d_inode;
266
-
struct ima_iint_cache *iint;
267
-
268
-
if (!ima_initialized || !S_ISREG(inode->i_mode))
269
-
return;
270
-
iint = ima_iint_find_get(inode);
271
-
if (!iint)
272
-
return;
273
-
mutex_lock(&iint->mutex);
274
-
ima_inc_counts(iint, file->f_mode);
275
-
mutex_unlock(&iint->mutex);
276
-
277
-
kref_put(&iint->refcount, iint_free);
278
-
}
279
-
EXPORT_SYMBOL_GPL(ima_counts_get);
280
281
/**
282
* ima_file_mmap - based on policy, collect/store measurement.
···
296
return 0;
297
}
298
299
static int __init init_ima(void)
300
{
301
int error;
302
303
-
ima_iintcache_init();
304
error = ima_init();
305
ima_initialized = 1;
306
return error;
···
14
*
15
* File: ima_main.c
16
* implements the IMA hooks: ima_bprm_check, ima_file_mmap,
17
+
* and ima_file_check.
18
*/
19
#include <linux/module.h>
20
#include <linux/file.h>
···
84
return found;
85
}
86
87
+
/* ima_read_write_check - reflect possible reading/writing errors in the PCR.
88
+
*
89
+
* When opening a file for read, if the file is already open for write,
90
+
* the file could change, resulting in a file measurement error.
91
+
*
92
+
* Opening a file for write, if the file is already open for read, results
93
+
* in a time of measure, time of use (ToMToU) error.
94
+
*
95
+
* In either case invalidate the PCR.
96
+
*/
97
+
enum iint_pcr_error { TOMTOU, OPEN_WRITERS };
98
+
static void ima_read_write_check(enum iint_pcr_error error,
99
+
struct ima_iint_cache *iint,
100
+
struct inode *inode,
101
+
const unsigned char *filename)
102
+
{
103
+
switch (error) {
104
+
case TOMTOU:
105
+
if (iint->readcount > 0)
106
+
ima_add_violation(inode, filename, "invalid_pcr",
107
+
"ToMToU");
108
+
break;
109
+
case OPEN_WRITERS:
110
+
if (iint->writecount > 0)
111
+
ima_add_violation(inode, filename, "invalid_pcr",
112
+
"open_writers");
113
+
break;
114
+
}
115
+
}
116
+
117
/*
118
* Update the counts given an fmode_t
119
*/
···
96
iint->readcount++;
97
if (mode & FMODE_WRITE)
98
iint->writecount++;
99
+
}
100
+
101
+
/*
102
+
* ima_counts_get - increment file counts
103
+
*
104
+
* Maintain read/write counters for all files, but only
105
+
* invalidate the PCR for measured files:
106
+
* - Opening a file for write when already open for read,
107
+
* results in a time of measure, time of use (ToMToU) error.
108
+
* - Opening a file for read when already open for write,
109
+
* could result in a file measurement error.
110
+
*
111
+
*/
112
+
void ima_counts_get(struct file *file)
113
+
{
114
+
struct dentry *dentry = file->f_path.dentry;
115
+
struct inode *inode = dentry->d_inode;
116
+
fmode_t mode = file->f_mode;
117
+
struct ima_iint_cache *iint;
118
+
int rc;
119
+
120
+
if (!ima_initialized || !S_ISREG(inode->i_mode))
121
+
return;
122
+
iint = ima_iint_find_get(inode);
123
+
if (!iint)
124
+
return;
125
+
mutex_lock(&iint->mutex);
126
+
rc = ima_must_measure(iint, inode, MAY_READ, FILE_CHECK);
127
+
if (rc < 0)
128
+
goto out;
129
+
130
+
if (mode & FMODE_WRITE) {
131
+
ima_read_write_check(TOMTOU, iint, inode, dentry->d_name.name);
132
+
goto out;
133
+
}
134
+
ima_read_write_check(OPEN_WRITERS, iint, inode, dentry->d_name.name);
135
+
out:
136
+
ima_inc_counts(iint, file->f_mode);
137
+
mutex_unlock(&iint->mutex);
138
+
139
+
kref_put(&iint->refcount, iint_free);
140
}
141
142
/*
···
153
kref_put(&iint->refcount, iint_free);
154
}
155
156
static int process_measurement(struct file *file, const unsigned char *filename,
157
int mask, int function)
158
{
···
296
kref_put(&iint->refcount, iint_free);
297
return rc;
298
}
299
300
/**
301
* ima_file_mmap - based on policy, collect/store measurement.
···
369
return 0;
370
}
371
372
+
/**
373
+
* ima_path_check - based on policy, collect/store measurement.
374
+
* @file: pointer to the file to be measured
375
+
* @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
376
+
*
377
+
* Measure files based on the ima_must_measure() policy decision.
378
+
*
379
+
* Always return 0 and audit dentry_open failures.
380
+
* (Return code will be based upon measurement appraisal.)
381
+
*/
382
+
int ima_file_check(struct file *file, int mask)
383
+
{
384
+
int rc;
385
+
386
+
rc = process_measurement(file, file->f_dentry->d_name.name,
387
+
mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
388
+
FILE_CHECK);
389
+
return 0;
390
+
}
391
+
EXPORT_SYMBOL_GPL(ima_file_check);
392
+
393
static int __init init_ima(void)
394
{
395
int error;
396
397
error = ima_init();
398
ima_initialized = 1;
399
return error;
+6
-3
security/integrity/ima/ima_policy.c
+6
-3
security/integrity/ima/ima_policy.c
···
67
.flags = IMA_FUNC | IMA_MASK},
68
{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
69
.flags = IMA_FUNC | IMA_MASK},
70
-
{.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
71
.flags = IMA_FUNC | IMA_MASK | IMA_UID},
72
};
73
···
282
break;
283
case Opt_func:
284
audit_log_format(ab, "func=%s ", args[0].from);
285
-
if (strcmp(args[0].from, "PATH_CHECK") == 0)
286
-
entry->func = PATH_CHECK;
287
else if (strcmp(args[0].from, "FILE_MMAP") == 0)
288
entry->func = FILE_MMAP;
289
else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
···
67
.flags = IMA_FUNC | IMA_MASK},
68
{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
69
.flags = IMA_FUNC | IMA_MASK},
70
+
{.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0,
71
.flags = IMA_FUNC | IMA_MASK | IMA_UID},
72
};
73
···
282
break;
283
case Opt_func:
284
audit_log_format(ab, "func=%s ", args[0].from);
285
+
if (strcmp(args[0].from, "FILE_CHECK") == 0)
286
+
entry->func = FILE_CHECK;
287
+
/* PATH_CHECK is for backwards compat */
288
+
else if (strcmp(args[0].from, "PATH_CHECK") == 0)
289
+
entry->func = FILE_CHECK;
290
else if (strcmp(args[0].from, "FILE_MMAP") == 0)
291
entry->func = FILE_MMAP;
292
else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
-2
security/security.c
-2
security/security.c