summaryrefslogtreecommitdiff
path: root/security/security.c
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2024-02-15 11:31:09 +0100
committerPaul Moore <paul@paul-moore.com>2024-02-15 23:43:46 -0500
commit84594c9ecdca7ca595bc50e315093cb76921fd8e (patch)
tree12049a5093126a4bda4cd4965c31452b91b53728 /security/security.c
parentcd3cec0a02c7338ce2901c574f3935b8f6984aab (diff)
ima: Move IMA-Appraisal to LSM infrastructure
A few additional IMA hooks are needed to reset the cached appraisal status, causing the file's integrity to be re-evaluated on next access. Register these IMA-appraisal only functions separately from the rest of IMA functions, as appraisal is a separate feature not necessarily enabled in the kernel configuration. Reuse the same approach as for other IMA functions, move hardcoded calls from various places in the kernel to the LSM infrastructure. Declare the functions as static and register them as hook implementations in init_ima_appraise_lsm(), called by init_ima_lsm(). Also move the inline function ima_inode_remove_acl() from the public ima.h header to ima_appraise.c. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Christian Brauner <brauner@kernel.org> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/security.c')
-rw-r--r--security/security.c13
1 files changed, 0 insertions, 13 deletions
diff --git a/security/security.c b/security/security.c
index 8495890a5a37..bed659b53e59 100644
--- a/security/security.c
+++ b/security/security.c
@@ -20,7 +20,6 @@
#include <linux/kernel_read_file.h>
#include <linux/lsm_hooks.h>
#include <linux/integrity.h>
-#include <linux/ima.h>
#include <linux/evm.h>
#include <linux/fsnotify.h>
#include <linux/mman.h>
@@ -2310,9 +2309,6 @@ int security_inode_setxattr(struct mnt_idmap *idmap,
ret = cap_inode_setxattr(dentry, name, value, size, flags);
if (ret)
return ret;
- ret = ima_inode_setxattr(idmap, dentry, name, value, size, flags);
- if (ret)
- return ret;
return evm_inode_setxattr(idmap, dentry, name, value, size, flags);
}
@@ -2340,9 +2336,6 @@ int security_inode_set_acl(struct mnt_idmap *idmap,
kacl);
if (ret)
return ret;
- ret = ima_inode_set_acl(idmap, dentry, acl_name, kacl);
- if (ret)
- return ret;
return evm_inode_set_acl(idmap, dentry, acl_name, kacl);
}
@@ -2403,9 +2396,6 @@ int security_inode_remove_acl(struct mnt_idmap *idmap,
ret = call_int_hook(inode_remove_acl, 0, idmap, dentry, acl_name);
if (ret)
return ret;
- ret = ima_inode_remove_acl(idmap, dentry, acl_name);
- if (ret)
- return ret;
return evm_inode_remove_acl(idmap, dentry, acl_name);
}
@@ -2505,9 +2495,6 @@ int security_inode_removexattr(struct mnt_idmap *idmap,
ret = cap_inode_removexattr(idmap, dentry, name);
if (ret)
return ret;
- ret = ima_inode_removexattr(idmap, dentry, name);
- if (ret)
- return ret;
return evm_inode_removexattr(idmap, dentry, name);
}