tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ima: Move to LSM infrastructure

Move hardcoded IMA function calls (not appraisal-specific functions) from
various places in the kernel to the LSM infrastructure, by introducing a
new LSM named 'ima' (at the end of the LSM list and always enabled like
'integrity').

Having IMA before EVM in the Makefile is sufficient to preserve the
relative order of the new 'ima' LSM in respect to the upcoming 'evm' LSM,
and thus the order of IMA and EVM function calls as when they were
hardcoded.

Make moved functions as static (except ima_post_key_create_or_update(),
which is not in ima_main.c), and register them as implementation of the
respective hooks in the new function init_ima_lsm().

Select CONFIG_SECURITY_PATH, to ensure that the path-based LSM hook
path_post_mknod is always available and ima_post_path_mknod() is always
executed to mark files as new, as before the move.

A slight difference is that IMA and EVM functions registered for the
inode_post_setattr, inode_post_removexattr, path_post_mknod,
inode_post_create_tmpfile, inode_post_set_acl and inode_post_remove_acl
won't be executed for private inodes. Since those inodes are supposed to be
fs-internal, they should not be of interest to IMA or EVM. The S_PRIVATE
flag is used for anonymous inodes, hugetlbfs, reiserfs xattrs, XFS scrub
and kernel-internal tmpfs files.

Conditionally register ima_post_key_create_or_update() if
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Also, conditionally register
ima_kernel_module_request() if CONFIG_INTEGRITY_ASYMMETRIC_KEYS is enabled.

Finally, add the LSM_ID_IMA case in lsm_list_modules_test.c.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Roberto Sassu and committed by
Paul Moore cd3cec0a 06cca511

+83 -200
-2
fs/file_table.c
··· 26 26 #include <linux/percpu_counter.h> 27 27 #include <linux/percpu.h> 28 28 #include <linux/task_work.h> 29 - #include <linux/ima.h> 30 29 #include <linux/swap.h> 31 30 #include <linux/kmemleak.h> 32 31 ··· 367 368 locks_remove_file(file); 368 369 369 370 security_file_release(file); 370 - ima_file_free(file); 371 371 if (unlikely(file->f_flags & FASYNC)) { 372 372 if (file->f_op->fasync) 373 373 file->f_op->fasync(-1, file, 0);
-6
fs/namei.c
··· 27 27 #include <linux/fsnotify.h> 28 28 #include <linux/personality.h> 29 29 #include <linux/security.h> 30 - #include <linux/ima.h> 31 30 #include <linux/syscalls.h> 32 31 #include <linux/mount.h> 33 32 #include <linux/audit.h> ··· 3640 3641 error = vfs_open(&nd->path, file); 3641 3642 if (!error) 3642 3643 error = security_file_post_open(file, op->acc_mode); 3643 - if (!error) 3644 - error = ima_file_check(file, op->acc_mode); 3645 3644 if (!error && do_truncate) 3646 3645 error = handle_truncate(idmap, file); 3647 3646 if (unlikely(error > 0)) { ··· 3703 3706 spin_unlock(&inode->i_lock); 3704 3707 } 3705 3708 security_inode_post_create_tmpfile(idmap, inode); 3706 - ima_post_create_tmpfile(idmap, inode); 3707 3709 return 0; 3708 3710 } 3709 3711 ··· 4048 4052 case 0: case S_IFREG: 4049 4053 error = vfs_create(idmap, path.dentry->d_inode, 4050 4054 dentry, mode, true); 4051 - if (!error) 4052 - ima_post_path_mknod(idmap, dentry); 4053 4055 break; 4054 4056 case S_IFCHR: case S_IFBLK: 4055 4057 error = vfs_mknod(idmap, path.dentry->d_inode,
-7
fs/nfsd/vfs.c
··· 25 25 #include <linux/posix_acl_xattr.h> 26 26 #include <linux/xattr.h> 27 27 #include <linux/jhash.h> 28 - #include <linux/ima.h> 29 28 #include <linux/pagemap.h> 30 29 #include <linux/slab.h> 31 30 #include <linux/uaccess.h> ··· 877 878 } 878 879 879 880 host_err = security_file_post_open(file, may_flags); 880 - if (host_err) { 881 - fput(file); 882 - goto out; 883 - } 884 - 885 - host_err = ima_file_check(file, may_flags); 886 881 if (host_err) { 887 882 fput(file); 888 883 goto out;
-1
fs/open.c
··· 29 29 #include <linux/audit.h> 30 30 #include <linux/falloc.h> 31 31 #include <linux/fs_struct.h> 32 - #include <linux/ima.h> 33 32 #include <linux/dnotify.h> 34 33 #include <linux/compat.h> 35 34 #include <linux/mnt_idmapping.h>
-104
include/linux/ima.h
··· 16 16 17 17 #ifdef CONFIG_IMA 18 18 extern enum hash_algo ima_get_current_hash_algo(void); 19 - extern int ima_bprm_check(struct linux_binprm *bprm); 20 - extern int ima_file_check(struct file *file, int mask); 21 - extern void ima_post_create_tmpfile(struct mnt_idmap *idmap, 22 - struct inode *inode); 23 - extern void ima_file_free(struct file *file); 24 - extern int ima_file_mmap(struct file *file, unsigned long reqprot, 25 - unsigned long prot, unsigned long flags); 26 - extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 27 - unsigned long prot); 28 - extern int ima_load_data(enum kernel_load_data_id id, bool contents); 29 - extern int ima_post_load_data(char *buf, loff_t size, 30 - enum kernel_load_data_id id, char *description); 31 - extern int ima_read_file(struct file *file, enum kernel_read_file_id id, 32 - bool contents); 33 - extern int ima_post_read_file(struct file *file, char *buf, loff_t size, 34 - enum kernel_read_file_id id); 35 - extern void ima_post_path_mknod(struct mnt_idmap *idmap, 36 - struct dentry *dentry); 37 19 extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); 38 20 extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); 39 21 extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); ··· 38 56 static inline enum hash_algo ima_get_current_hash_algo(void) 39 57 { 40 58 return HASH_ALGO__LAST; 41 - } 42 - 43 - static inline int ima_bprm_check(struct linux_binprm *bprm) 44 - { 45 - return 0; 46 - } 47 - 48 - static inline int ima_file_check(struct file *file, int mask) 49 - { 50 - return 0; 51 - } 52 - 53 - static inline void ima_post_create_tmpfile(struct mnt_idmap *idmap, 54 - struct inode *inode) 55 - { 56 - } 57 - 58 - static inline void ima_file_free(struct file *file) 59 - { 60 - return; 61 - } 62 - 63 - static inline int ima_file_mmap(struct file *file, unsigned long reqprot, 64 - unsigned long prot, unsigned long flags) 65 - { 66 - return 0; 67 - } 68 - 69 - static inline int ima_file_mprotect(struct vm_area_struct *vma, 70 - unsigned long reqprot, unsigned long prot) 71 - { 72 - return 0; 73 - } 74 - 75 - static inline int ima_load_data(enum kernel_load_data_id id, bool contents) 76 - { 77 - return 0; 78 - } 79 - 80 - static inline int ima_post_load_data(char *buf, loff_t size, 81 - enum kernel_load_data_id id, 82 - char *description) 83 - { 84 - return 0; 85 - } 86 - 87 - static inline int ima_read_file(struct file *file, enum kernel_read_file_id id, 88 - bool contents) 89 - { 90 - return 0; 91 - } 92 - 93 - static inline int ima_post_read_file(struct file *file, char *buf, loff_t size, 94 - enum kernel_read_file_id id) 95 - { 96 - return 0; 97 - } 98 - 99 - static inline void ima_post_path_mknod(struct mnt_idmap *idmap, 100 - struct dentry *dentry) 101 - { 102 - return; 103 59 } 104 60 105 61 static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size) ··· 89 169 static inline void ima_add_kexec_buffer(struct kimage *image) 90 170 {} 91 171 #endif 92 - 93 - #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS 94 - extern void ima_post_key_create_or_update(struct key *keyring, 95 - struct key *key, 96 - const void *payload, size_t plen, 97 - unsigned long flags, bool create); 98 - #else 99 - static inline void ima_post_key_create_or_update(struct key *keyring, 100 - struct key *key, 101 - const void *payload, 102 - size_t plen, 103 - unsigned long flags, 104 - bool create) {} 105 - #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ 106 172 107 173 #ifdef CONFIG_IMA_APPRAISE 108 174 extern bool is_ima_appraise_enabled(void); ··· 162 256 return false; 163 257 } 164 258 #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ 165 - 166 - #if defined(CONFIG_IMA) && defined(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) 167 - extern int ima_kernel_module_request(char *kmod_name); 168 - #else 169 - static inline int ima_kernel_module_request(char *kmod_name) 170 - { 171 - return 0; 172 - } 173 - 174 - #endif 175 259 #endif /* _LINUX_IMA_H */
+1
include/uapi/linux/lsm.h
··· 62 62 #define LSM_ID_LOCKDOWN 108 63 63 #define LSM_ID_BPF 109 64 64 #define LSM_ID_LANDLOCK 110 65 + #define LSM_ID_IMA 111 65 66 66 67 /* 67 68 * LSM_ATTR_XXX definitions identify different LSM attributes
+1
security/integrity/Makefile
··· 18 18 integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ 19 19 platform_certs/load_powerpc.o \ 20 20 platform_certs/keyring_handler.o 21 + # The relative order of the 'ima' and 'evm' LSMs depends on the order below. 21 22 obj-$(CONFIG_IMA) += ima/ 22 23 obj-$(CONFIG_EVM) += evm/
+1
security/integrity/ima/Kconfig
··· 8 8 select CRYPTO_HMAC 9 9 select CRYPTO_SHA1 10 10 select CRYPTO_HASH_INFO 11 + select SECURITY_PATH 11 12 select TCG_TPM if HAS_IOMEM 12 13 select TCG_TIS if TCG_TPM && X86 13 14 select TCG_CRB if TCG_TPM && ACPI
+6
security/integrity/ima/ima.h
··· 127 127 static inline void ima_load_kexec_buffer(void) {} 128 128 #endif /* CONFIG_HAVE_IMA_KEXEC */ 129 129 130 + #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS 131 + void ima_post_key_create_or_update(struct key *keyring, struct key *key, 132 + const void *payload, size_t plen, 133 + unsigned long flags, bool create); 134 + #endif 135 + 130 136 /* 131 137 * The default binary_runtime_measurements list format is defined as the 132 138 * platform native format. The canonical format is defined as little-endian.
+57 -21
security/integrity/ima/ima_main.c
··· 189 189 * 190 190 * Flag files that changed, based on i_version 191 191 */ 192 - void ima_file_free(struct file *file) 192 + static void ima_file_free(struct file *file) 193 193 { 194 194 struct inode *inode = file_inode(file); 195 195 struct integrity_iint_cache *iint; ··· 427 427 * On success return 0. On integrity appraisal error, assuming the file 428 428 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 429 429 */ 430 - int ima_file_mmap(struct file *file, unsigned long reqprot, 431 - unsigned long prot, unsigned long flags) 430 + static int ima_file_mmap(struct file *file, unsigned long reqprot, 431 + unsigned long prot, unsigned long flags) 432 432 { 433 433 u32 secid; 434 434 int ret; ··· 466 466 * 467 467 * On mprotect change success, return 0. On failure, return -EACESS. 468 468 */ 469 - int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 470 - unsigned long prot) 469 + static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 470 + unsigned long prot) 471 471 { 472 472 struct ima_template_desc *template = NULL; 473 473 struct file *file; ··· 525 525 * On success return 0. On integrity appraisal error, assuming the file 526 526 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 527 527 */ 528 - int ima_bprm_check(struct linux_binprm *bprm) 528 + static int ima_bprm_check(struct linux_binprm *bprm) 529 529 { 530 530 int ret; 531 531 u32 secid; ··· 551 551 * On success return 0. On integrity appraisal error, assuming the file 552 552 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 553 553 */ 554 - int ima_file_check(struct file *file, int mask) 554 + static int ima_file_check(struct file *file, int mask) 555 555 { 556 556 u32 secid; 557 557 ··· 560 560 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 561 561 MAY_APPEND), FILE_CHECK); 562 562 } 563 - EXPORT_SYMBOL_GPL(ima_file_check); 564 563 565 564 static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, 566 565 size_t buf_size) ··· 684 685 * Skip calling process_measurement(), but indicate which newly, created 685 686 * tmpfiles are in policy. 686 687 */ 687 - void ima_post_create_tmpfile(struct mnt_idmap *idmap, 688 - struct inode *inode) 688 + static void ima_post_create_tmpfile(struct mnt_idmap *idmap, 689 + struct inode *inode) 690 + 689 691 { 690 692 struct integrity_iint_cache *iint; 691 693 int must_appraise; ··· 717 717 * Mark files created via the mknodat syscall as new, so that the 718 718 * file data can be written later. 719 719 */ 720 - void ima_post_path_mknod(struct mnt_idmap *idmap, 721 - struct dentry *dentry) 720 + static void ima_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry) 722 721 { 723 722 struct integrity_iint_cache *iint; 724 723 struct inode *inode = dentry->d_inode; ··· 752 753 * 753 754 * For permission return 0, otherwise return -EACCES. 754 755 */ 755 - int ima_read_file(struct file *file, enum kernel_read_file_id read_id, 756 - bool contents) 756 + static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, 757 + bool contents) 757 758 { 758 759 enum ima_hooks func; 759 760 u32 secid; ··· 802 803 * On success return 0. On integrity appraisal error, assuming the file 803 804 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 804 805 */ 805 - int ima_post_read_file(struct file *file, char *buf, loff_t size, 806 - enum kernel_read_file_id read_id) 806 + static int ima_post_read_file(struct file *file, char *buf, loff_t size, 807 + enum kernel_read_file_id read_id) 807 808 { 808 809 enum ima_hooks func; 809 810 u32 secid; ··· 836 837 * 837 838 * For permission return 0, otherwise return -EACCES. 838 839 */ 839 - int ima_load_data(enum kernel_load_data_id id, bool contents) 840 + static int ima_load_data(enum kernel_load_data_id id, bool contents) 840 841 { 841 842 bool ima_enforce, sig_enforce; 842 843 ··· 890 891 * On success return 0. On integrity appraisal error, assuming the file 891 892 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 892 893 */ 893 - int ima_post_load_data(char *buf, loff_t size, 894 - enum kernel_load_data_id load_id, 895 - char *description) 894 + static int ima_post_load_data(char *buf, loff_t size, 895 + enum kernel_load_data_id load_id, 896 + char *description) 896 897 { 897 898 if (load_id == LOADING_FIRMWARE) { 898 899 if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && ··· 1113 1114 * 1114 1115 * Return: Zero if it is safe to load the kernel module, -EINVAL otherwise. 1115 1116 */ 1116 - int ima_kernel_module_request(char *kmod_name) 1117 + static int ima_kernel_module_request(char *kmod_name) 1117 1118 { 1118 1119 if (strncmp(kmod_name, "crypto-pkcs1pad(rsa,", 20) == 0) 1119 1120 return -EINVAL; ··· 1153 1154 1154 1155 return error; 1155 1156 } 1157 + 1158 + static struct security_hook_list ima_hooks[] __ro_after_init = { 1159 + LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), 1160 + LSM_HOOK_INIT(file_post_open, ima_file_check), 1161 + LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile), 1162 + LSM_HOOK_INIT(file_release, ima_file_free), 1163 + LSM_HOOK_INIT(mmap_file, ima_file_mmap), 1164 + LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), 1165 + LSM_HOOK_INIT(kernel_load_data, ima_load_data), 1166 + LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data), 1167 + LSM_HOOK_INIT(kernel_read_file, ima_read_file), 1168 + LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), 1169 + LSM_HOOK_INIT(path_post_mknod, ima_post_path_mknod), 1170 + #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS 1171 + LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update), 1172 + #endif 1173 + #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS 1174 + LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request), 1175 + #endif 1176 + }; 1177 + 1178 + static const struct lsm_id ima_lsmid = { 1179 + .name = "ima", 1180 + .id = LSM_ID_IMA, 1181 + }; 1182 + 1183 + static int __init init_ima_lsm(void) 1184 + { 1185 + security_add_hooks(ima_hooks, ARRAY_SIZE(ima_hooks), &ima_lsmid); 1186 + return 0; 1187 + } 1188 + 1189 + DEFINE_LSM(ima) = { 1190 + .name = "ima", 1191 + .init = init_ima_lsm, 1192 + .order = LSM_ORDER_LAST, 1193 + }; 1156 1194 1157 1195 late_initcall(init_ima); /* Start IMA after the TPM is available */
+1
security/integrity/integrity.h
··· 18 18 #include <crypto/hash.h> 19 19 #include <linux/key.h> 20 20 #include <linux/audit.h> 21 + #include <linux/lsm_hooks.h> 21 22 22 23 /* iint action cache flags */ 23 24 #define IMA_MEASURE 0x00000001
+1 -8
security/keys/key.c
··· 13 13 #include <linux/security.h> 14 14 #include <linux/workqueue.h> 15 15 #include <linux/random.h> 16 - #include <linux/ima.h> 17 16 #include <linux/err.h> 18 17 #include "internal.h" 19 18 ··· 931 932 932 933 security_key_post_create_or_update(keyring, key, payload, plen, flags, 933 934 true); 934 - ima_post_key_create_or_update(keyring, key, payload, plen, 935 - flags, true); 936 935 937 936 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 938 937 ··· 962 965 963 966 key_ref = __key_update(key_ref, &prep); 964 967 965 - if (!IS_ERR(key_ref)) { 968 + if (!IS_ERR(key_ref)) 966 969 security_key_post_create_or_update(keyring, key, payload, plen, 967 970 flags, false); 968 - ima_post_key_create_or_update(keyring, key, 969 - payload, plen, 970 - flags, false); 971 - } 972 971 973 972 goto error_free_prep; 974 973 }
+12 -51
security/security.c
··· 50 50 (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \ 51 51 (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \ 52 52 (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ 53 - (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0)) 53 + (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \ 54 + (IS_ENABLED(CONFIG_IMA) ? 1 : 0)) 54 55 55 56 /* 56 57 * These are descriptions of the reasons that can be passed to the ··· 1183 1182 */ 1184 1183 int security_bprm_check(struct linux_binprm *bprm) 1185 1184 { 1186 - int ret; 1187 - 1188 - ret = call_int_hook(bprm_check_security, 0, bprm); 1189 - if (ret) 1190 - return ret; 1191 - return ima_bprm_check(bprm); 1185 + return call_int_hook(bprm_check_security, 0, bprm); 1192 1186 } 1193 1187 1194 1188 /** ··· 2891 2895 int security_mmap_file(struct file *file, unsigned long prot, 2892 2896 unsigned long flags) 2893 2897 { 2894 - unsigned long prot_adj = mmap_prot(file, prot); 2895 - int ret; 2896 - 2897 - ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags); 2898 - if (ret) 2899 - return ret; 2900 - return ima_file_mmap(file, prot, prot_adj, flags); 2898 + return call_int_hook(mmap_file, 0, file, prot, mmap_prot(file, prot), 2899 + flags); 2901 2900 } 2902 2901 2903 2902 /** ··· 2921 2930 int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 2922 2931 unsigned long prot) 2923 2932 { 2924 - int ret; 2925 - 2926 - ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot); 2927 - if (ret) 2928 - return ret; 2929 - return ima_file_mprotect(vma, reqprot, prot); 2933 + return call_int_hook(file_mprotect, 0, vma, reqprot, prot); 2930 2934 } 2931 2935 2932 2936 /** ··· 3230 3244 */ 3231 3245 int security_kernel_module_request(char *kmod_name) 3232 3246 { 3233 - int ret; 3234 - 3235 - ret = call_int_hook(kernel_module_request, 0, kmod_name); 3236 - if (ret) 3237 - return ret; 3238 - return ima_kernel_module_request(kmod_name); 3247 + return call_int_hook(kernel_module_request, 0, kmod_name); 3239 3248 } 3240 3249 3241 3250 /** ··· 3246 3265 int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, 3247 3266 bool contents) 3248 3267 { 3249 - int ret; 3250 - 3251 - ret = call_int_hook(kernel_read_file, 0, file, id, contents); 3252 - if (ret) 3253 - return ret; 3254 - return ima_read_file(file, id, contents); 3268 + return call_int_hook(kernel_read_file, 0, file, id, contents); 3255 3269 } 3256 3270 EXPORT_SYMBOL_GPL(security_kernel_read_file); 3257 3271 ··· 3266 3290 int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, 3267 3291 enum kernel_read_file_id id) 3268 3292 { 3269 - int ret; 3270 - 3271 - ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id); 3272 - if (ret) 3273 - return ret; 3274 - return ima_post_read_file(file, buf, size, id); 3293 + return call_int_hook(kernel_post_read_file, 0, file, buf, size, id); 3275 3294 } 3276 3295 EXPORT_SYMBOL_GPL(security_kernel_post_read_file); 3277 3296 ··· 3281 3310 */ 3282 3311 int security_kernel_load_data(enum kernel_load_data_id id, bool contents) 3283 3312 { 3284 - int ret; 3285 - 3286 - ret = call_int_hook(kernel_load_data, 0, id, contents); 3287 - if (ret) 3288 - return ret; 3289 - return ima_load_data(id, contents); 3313 + return call_int_hook(kernel_load_data, 0, id, contents); 3290 3314 } 3291 3315 EXPORT_SYMBOL_GPL(security_kernel_load_data); 3292 3316 ··· 3303 3337 enum kernel_load_data_id id, 3304 3338 char *description) 3305 3339 { 3306 - int ret; 3307 - 3308 - ret = call_int_hook(kernel_post_load_data, 0, buf, size, id, 3309 - description); 3310 - if (ret) 3311 - return ret; 3312 - return ima_post_load_data(buf, size, id, description); 3340 + return call_int_hook(kernel_post_load_data, 0, buf, size, id, 3341 + description); 3313 3342 } 3314 3343 EXPORT_SYMBOL_GPL(security_kernel_post_load_data); 3315 3344
+3
tools/testing/selftests/lsm/lsm_list_modules_test.c
··· 122 122 case LSM_ID_LANDLOCK: 123 123 name = "landlock"; 124 124 break; 125 + case LSM_ID_IMA: 126 + name = "ima"; 127 + break; 125 128 default: 126 129 name = "INVALID"; 127 130 break;