diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-11-19 12:39:22 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2016-02-21 09:03:44 -0500 |
| commit | e40ba6d56b41754b37b995dbc8035b2b3a6afd8a (patch) | |
| tree | 0bbc573dde5374e434d6acd883b330f92645bfe2 /include/linux/security.h | |
| parent | 09596b94f7d28595602482e69ed954deab707437 (diff) | |
firmware: replace call to fw_read_file_contents() with kernel version
Replace the fw_read_file_contents with kernel_file_read_from_path().
Although none of the upstreamed LSMs define a kernel_fw_from_file hook,
IMA is called by the security function to prevent unsigned firmware from
being loaded and to measure/appraise signed firmware, based on policy.
Instead of reading the firmware twice, once for measuring/appraising the
firmware and again for reading the firmware contents into memory, the
kernel_post_read_file() security hook calculates the file hash based on
the in memory file buffer. The firmware is read once.
This patch removes the LSM kernel_fw_from_file() hook and security call.
Changelog v4+:
- revert dropped buf->size assignment - reported by Sergey Senozhatsky
v3:
- remove kernel_fw_from_file hook
- use kernel_file_read_from_path() - requested by Luis
v2:
- reordered and squashed firmware patches
- fix MAX firmware size (Kees Cook)
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Luis R. Rodriguez <mcgrof@kernel.org>
Diffstat (limited to 'include/linux/security.h')
| -rw-r--r-- | include/linux/security.h | 7 |
1 files changed, 0 insertions, 7 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index d920718dc845..cee1349e1155 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -300,7 +300,6 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); | |||
| 300 | void security_transfer_creds(struct cred *new, const struct cred *old); | 300 | void security_transfer_creds(struct cred *new, const struct cred *old); |
| 301 | int security_kernel_act_as(struct cred *new, u32 secid); | 301 | int security_kernel_act_as(struct cred *new, u32 secid); |
| 302 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); | 302 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); |
| 303 | int security_kernel_fw_from_file(struct file *file, char *buf, size_t size); | ||
| 304 | int security_kernel_module_request(char *kmod_name); | 303 | int security_kernel_module_request(char *kmod_name); |
| 305 | int security_kernel_module_from_file(struct file *file); | 304 | int security_kernel_module_from_file(struct file *file); |
| 306 | int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, | 305 | int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, |
| @@ -854,12 +853,6 @@ static inline int security_kernel_create_files_as(struct cred *cred, | |||
| 854 | return 0; | 853 | return 0; |
| 855 | } | 854 | } |
| 856 | 855 | ||
| 857 | static inline int security_kernel_fw_from_file(struct file *file, | ||
| 858 | char *buf, size_t size) | ||
| 859 | { | ||
| 860 | return 0; | ||
| 861 | } | ||
| 862 | |||
| 863 | static inline int security_kernel_module_request(char *kmod_name) | 856 | static inline int security_kernel_module_request(char *kmod_name) |
| 864 | { | 857 | { |
| 865 | return 0; | 858 | return 0; |