integrity: path_check update
- Add support in ima_path_check() for integrity checking without incrementing the counts. (Required for nfsd.) - rename and export opencount_get to ima_counts_get - replace ima_shm_check calls with ima_counts_get - export ima_path_check Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Mimi Zohar
James Morris
Родитель
932995f0ce
Коммит
b9fc745db8
|
|
@ -130,7 +130,8 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
|
|||
MAY_READ | MAY_EXEC | MAY_OPEN);
|
||||
if (error)
|
||||
goto exit;
|
||||
error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN);
|
||||
error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN,
|
||||
IMA_COUNT_UPDATE);
|
||||
if (error)
|
||||
goto exit;
|
||||
|
||||
|
|
@ -680,7 +681,7 @@ struct file *open_exec(const char *name)
|
|||
err = inode_permission(nd.path.dentry->d_inode, MAY_EXEC | MAY_OPEN);
|
||||
if (err)
|
||||
goto out_path_put;
|
||||
err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN);
|
||||
err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN, IMA_COUNT_UPDATE);
|
||||
if (err)
|
||||
goto out_path_put;
|
||||
|
||||
|
|
|
|||
|
|
@ -853,7 +853,8 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
|
|||
err = inode_permission(nd->path.dentry->d_inode,
|
||||
MAY_EXEC);
|
||||
if (!err)
|
||||
err = ima_path_check(&nd->path, MAY_EXEC);
|
||||
err = ima_path_check(&nd->path, MAY_EXEC,
|
||||
IMA_COUNT_UPDATE);
|
||||
if (err)
|
||||
break;
|
||||
|
||||
|
|
@ -1515,7 +1516,8 @@ int may_open(struct path *path, int acc_mode, int flag)
|
|||
return error;
|
||||
|
||||
error = ima_path_check(path,
|
||||
acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
|
||||
acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC),
|
||||
IMA_COUNT_UPDATE);
|
||||
if (error)
|
||||
return error;
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -13,14 +13,17 @@
|
|||
#include <linux/fs.h>
|
||||
struct linux_binprm;
|
||||
|
||||
#define IMA_COUNT_UPDATE 1
|
||||
#define IMA_COUNT_LEAVE 0
|
||||
|
||||
#ifdef CONFIG_IMA
|
||||
extern int ima_bprm_check(struct linux_binprm *bprm);
|
||||
extern int ima_inode_alloc(struct inode *inode);
|
||||
extern void ima_inode_free(struct inode *inode);
|
||||
extern int ima_path_check(struct path *path, int mask);
|
||||
extern int ima_path_check(struct path *path, int mask, int update_counts);
|
||||
extern void ima_file_free(struct file *file);
|
||||
extern int ima_file_mmap(struct file *file, unsigned long prot);
|
||||
extern void ima_shm_check(struct file *file);
|
||||
extern void ima_counts_get(struct file *file);
|
||||
|
||||
#else
|
||||
static inline int ima_bprm_check(struct linux_binprm *bprm)
|
||||
|
|
@ -38,7 +41,7 @@ static inline void ima_inode_free(struct inode *inode)
|
|||
return;
|
||||
}
|
||||
|
||||
static inline int ima_path_check(struct path *path, int mask)
|
||||
static inline int ima_path_check(struct path *path, int mask, int update_counts)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -53,7 +56,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
|
|||
return 0;
|
||||
}
|
||||
|
||||
static inline void ima_shm_check(struct file *file)
|
||||
static inline void ima_counts_get(struct file *file)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
|||
error = PTR_ERR(file);
|
||||
if (IS_ERR(file))
|
||||
goto no_file;
|
||||
ima_shm_check(file);
|
||||
ima_counts_get(file);
|
||||
|
||||
id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
||||
if (id < 0) {
|
||||
|
|
@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr)
|
|||
file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations);
|
||||
if (!file)
|
||||
goto out_free;
|
||||
ima_shm_check(file);
|
||||
ima_counts_get(file);
|
||||
|
||||
file->private_data = sfd;
|
||||
file->f_mapping = shp->shm_file->f_mapping;
|
||||
|
|
|
|||
|
|
@ -2684,7 +2684,7 @@ int shmem_zero_setup(struct vm_area_struct *vma)
|
|||
if (IS_ERR(file))
|
||||
return PTR_ERR(file);
|
||||
|
||||
ima_shm_check(file);
|
||||
ima_counts_get(file);
|
||||
if (vma->vm_file)
|
||||
fput(vma->vm_file);
|
||||
vma->vm_file = file;
|
||||
|
|
|
|||
|
|
@ -125,6 +125,15 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
|
|||
return rc;
|
||||
}
|
||||
|
||||
static void ima_update_counts(struct ima_iint_cache *iint, int mask)
|
||||
{
|
||||
iint->opencount++;
|
||||
if ((mask & MAY_WRITE) || (mask == 0))
|
||||
iint->writecount++;
|
||||
else if (mask & (MAY_READ | MAY_EXEC))
|
||||
iint->readcount++;
|
||||
}
|
||||
|
||||
/**
|
||||
* ima_path_check - based on policy, collect/store measurement.
|
||||
* @path: contains a pointer to the path to be measured
|
||||
|
|
@ -143,7 +152,7 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
|
|||
* Return 0 on success, an error code on failure.
|
||||
* (Based on the results of appraise_measurement().)
|
||||
*/
|
||||
int ima_path_check(struct path *path, int mask)
|
||||
int ima_path_check(struct path *path, int mask, int update_counts)
|
||||
{
|
||||
struct inode *inode = path->dentry->d_inode;
|
||||
struct ima_iint_cache *iint;
|
||||
|
|
@ -157,11 +166,8 @@ int ima_path_check(struct path *path, int mask)
|
|||
return 0;
|
||||
|
||||
mutex_lock(&iint->mutex);
|
||||
iint->opencount++;
|
||||
if ((mask & MAY_WRITE) || (mask == 0))
|
||||
iint->writecount++;
|
||||
else if (mask & (MAY_READ | MAY_EXEC))
|
||||
iint->readcount++;
|
||||
if (update_counts)
|
||||
ima_update_counts(iint, mask);
|
||||
|
||||
rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
|
||||
if (rc < 0)
|
||||
|
|
@ -197,6 +203,7 @@ out:
|
|||
kref_put(&iint->refcount, iint_free);
|
||||
return 0;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(ima_path_check);
|
||||
|
||||
static int process_measurement(struct file *file, const unsigned char *filename,
|
||||
int mask, int function)
|
||||
|
|
@ -225,7 +232,16 @@ out:
|
|||
return rc;
|
||||
}
|
||||
|
||||
static void opencount_get(struct file *file)
|
||||
/*
|
||||
* ima_opens_get - increment file counts
|
||||
*
|
||||
* - for IPC shm and shmat file.
|
||||
* - for nfsd exported files.
|
||||
*
|
||||
* Increment the counts for these files to prevent unnecessary
|
||||
* imbalance messages.
|
||||
*/
|
||||
void ima_counts_get(struct file *file)
|
||||
{
|
||||
struct inode *inode = file->f_dentry->d_inode;
|
||||
struct ima_iint_cache *iint;
|
||||
|
|
@ -237,8 +253,14 @@ static void opencount_get(struct file *file)
|
|||
return;
|
||||
mutex_lock(&iint->mutex);
|
||||
iint->opencount++;
|
||||
if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
|
||||
iint->readcount++;
|
||||
|
||||
if (file->f_mode & FMODE_WRITE)
|
||||
iint->writecount++;
|
||||
mutex_unlock(&iint->mutex);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(ima_counts_get);
|
||||
|
||||
/**
|
||||
* ima_file_mmap - based on policy, collect/store measurement.
|
||||
|
|
@ -263,18 +285,6 @@ int ima_file_mmap(struct file *file, unsigned long prot)
|
|||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* ima_shm_check - IPC shm and shmat create/fput a file
|
||||
*
|
||||
* Maintain the opencount for these files to prevent unnecessary
|
||||
* imbalance messages.
|
||||
*/
|
||||
void ima_shm_check(struct file *file)
|
||||
{
|
||||
opencount_get(file);
|
||||
return;
|
||||
}
|
||||
|
||||
/**
|
||||
* ima_bprm_check - based on policy, collect/store measurement.
|
||||
* @bprm: contains the linux_binprm structure
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче