diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2024-02-15 11:31:09 +0100 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2024-02-15 23:43:46 -0500 |
commit | 84594c9ecdca7ca595bc50e315093cb76921fd8e (patch) | |
tree | 12049a5093126a4bda4cd4965c31452b91b53728 /security/security.c | |
parent | cd3cec0a02c7338ce2901c574f3935b8f6984aab (diff) |
ima: Move IMA-Appraisal to LSM infrastructure
A few additional IMA hooks are needed to reset the cached appraisal
status, causing the file's integrity to be re-evaluated on next access.
Register these IMA-appraisal only functions separately from the rest of IMA
functions, as appraisal is a separate feature not necessarily enabled in
the kernel configuration.
Reuse the same approach as for other IMA functions, move hardcoded calls
from various places in the kernel to the LSM infrastructure. Declare the
functions as static and register them as hook implementations in
init_ima_appraise_lsm(), called by init_ima_lsm().
Also move the inline function ima_inode_remove_acl() from the public ima.h
header to ima_appraise.c.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/security.c')
-rw-r--r-- | security/security.c | 13 |
1 files changed, 0 insertions, 13 deletions
diff --git a/security/security.c b/security/security.c index 8495890a5a37..bed659b53e59 100644 --- a/security/security.c +++ b/security/security.c @@ -20,7 +20,6 @@ #include <linux/kernel_read_file.h> #include <linux/lsm_hooks.h> #include <linux/integrity.h> -#include <linux/ima.h> #include <linux/evm.h> #include <linux/fsnotify.h> #include <linux/mman.h> @@ -2310,9 +2309,6 @@ int security_inode_setxattr(struct mnt_idmap *idmap, ret = cap_inode_setxattr(dentry, name, value, size, flags); if (ret) return ret; - ret = ima_inode_setxattr(idmap, dentry, name, value, size, flags); - if (ret) - return ret; return evm_inode_setxattr(idmap, dentry, name, value, size, flags); } @@ -2340,9 +2336,6 @@ int security_inode_set_acl(struct mnt_idmap *idmap, kacl); if (ret) return ret; - ret = ima_inode_set_acl(idmap, dentry, acl_name, kacl); - if (ret) - return ret; return evm_inode_set_acl(idmap, dentry, acl_name, kacl); } @@ -2403,9 +2396,6 @@ int security_inode_remove_acl(struct mnt_idmap *idmap, ret = call_int_hook(inode_remove_acl, 0, idmap, dentry, acl_name); if (ret) return ret; - ret = ima_inode_remove_acl(idmap, dentry, acl_name); - if (ret) - return ret; return evm_inode_remove_acl(idmap, dentry, acl_name); } @@ -2505,9 +2495,6 @@ int security_inode_removexattr(struct mnt_idmap *idmap, ret = cap_inode_removexattr(idmap, dentry, name); if (ret) return ret; - ret = ima_inode_removexattr(idmap, dentry, name); - if (ret) - return ret; return evm_inode_removexattr(idmap, dentry, name); } |