ima: Simplify policy_func_show.

If the func_tokens array uses the same indices as enum ima_hooks, policy_func_show can be a lot simpler, and the func_* enum becomes unnecessary. Also, if we use the same macro trick used by kernel_read_file_id_str we can use one hooks list for both the enum and the string array, making sure they are always in sync (suggested by Mimi Zohar). Finally, by using the printf pattern for the function token directly instead of using the pt macro we can simplify policy_func_show even further and avoid needing a temporary buffer. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> 2017-06-07 21:49:11 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-06-21 14:37:12 -0400
commit: 2663218ba6e3dd6f27df9664e00fa3eb63be3a3f (patch)
tree: 48b2a0f2bc3cd5468df0e0393350d2c4ac41f608
parent: bb543e3959b5909e7b5db4a216018c634a9d9898 (diff)
2 files changed, 21 insertions, 62 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 215a93c41b51..d52b487ad259 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -172,17 +172,22 @@ static inline unsigned long ima_hash_key(u8 *digest)
        return hash_long(*digest, IMA_HASH_BITS);
 }
+#define __ima_hooks(hook)               \
+        hook(NONE)                      \
+        hook(FILE_CHECK)                \
+        hook(MMAP_CHECK)                \
+        hook(BPRM_CHECK)                \
+        hook(POST_SETATTR)              \
+        hook(MODULE_CHECK)              \
+        hook(FIRMWARE_CHECK)            \
+        hook(KEXEC_KERNEL_CHECK)        \
+        hook(KEXEC_INITRAMFS_CHECK)     \
+        hook(POLICY_CHECK)              \
+        hook(MAX_CHECK)
+#define __ima_hook_enumify(ENUM)        ENUM,
 enum ima_hooks {
-        FILE_CHECK = 1,
+        __ima_hooks(__ima_hook_enumify)
-        MMAP_CHECK,
-        BPRM_CHECK,
-        POST_SETATTR,
-        MODULE_CHECK,
-        FIRMWARE_CHECK,
-        KEXEC_KERNEL_CHECK,
-        KEXEC_INITRAMFS_CHECK,
-        POLICY_CHECK,
-        MAX_CHECK
 };
 /* LIM API function definitions */
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 949ad3858327..f4436626ccb7 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -972,23 +972,10 @@ static const char *const mask_tokens[] = {
        "MAY_APPEND"
 };
-enum {
+#define __ima_hook_stringify(str)       (#str),
-        func_file = 0, func_mmap, func_bprm,
-        func_module, func_firmware, func_post,
-        func_kexec_kernel, func_kexec_initramfs,
-        func_policy
-};
 static const char *const func_tokens[] = {
-        "FILE_CHECK",
+        __ima_hooks(__ima_hook_stringify)
-        "MMAP_CHECK",
-        "BPRM_CHECK",
-        "MODULE_CHECK",
-        "FIRMWARE_CHECK",
-        "POST_SETATTR",
-        "KEXEC_KERNEL_CHECK",
-        "KEXEC_INITRAMFS_CHECK",
-        "POLICY_CHECK"
 };
 void *ima_policy_start(struct seq_file *m, loff_t *pos)
@@ -1025,49 +1012,16 @@ void ima_policy_stop(struct seq_file *m, void *v)
 #define pt(token)       policy_tokens[token + Opt_err].pattern
 #define mt(token)       mask_tokens[token]
-#define ft(token)       func_tokens[token]
 /*
 * policy_func_show - display the ima_hooks policy rule
 */
 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
 {
-        char tbuf[64] = {0,};
+        if (func > 0 && func < MAX_CHECK)
+                seq_printf(m, "func=%s ", func_tokens[func]);
-        switch (func) {
+        else
-        case FILE_CHECK:
+                seq_printf(m, "func=%d ", func);
-                seq_printf(m, pt(Opt_func), ft(func_file));
-                break;
-        case MMAP_CHECK:
-                seq_printf(m, pt(Opt_func), ft(func_mmap));
-                break;
-        case BPRM_CHECK:
-                seq_printf(m, pt(Opt_func), ft(func_bprm));
-                break;
-        case MODULE_CHECK:
-                seq_printf(m, pt(Opt_func), ft(func_module));
-                break;
-        case FIRMWARE_CHECK:
-                seq_printf(m, pt(Opt_func), ft(func_firmware));
-                break;
-        case POST_SETATTR:
-                seq_printf(m, pt(Opt_func), ft(func_post));
-                break;
-        case KEXEC_KERNEL_CHECK:
-                seq_printf(m, pt(Opt_func), ft(func_kexec_kernel));
-                break;
-        case KEXEC_INITRAMFS_CHECK:
-                seq_printf(m, pt(Opt_func), ft(func_kexec_initramfs));
-                break;
-        case POLICY_CHECK:
-                seq_printf(m, pt(Opt_func), ft(func_policy));
-                break;
-        default:
-                snprintf(tbuf, sizeof(tbuf), "%d", func);
-                seq_printf(m, pt(Opt_func), tbuf);
-                break;
-        }
-        seq_puts(m, " ");
 }
 int ima_policy_show(struct seq_file *m, void *v)
author	Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>	2017-06-07 21:49:11 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2017-06-21 14:37:12 -0400
commit	2663218ba6e3dd6f27df9664e00fa3eb63be3a3f (patch)
tree	48b2a0f2bc3cd5468df0e0393350d2c4ac41f608
parent	bb543e3959b5909e7b5db4a216018c634a9d9898 (diff)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 215a93c41b51..d52b487ad259 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h
@@ -172,17 +172,22 @@ static inline unsigned long ima_hash_key(u8 *digest)
172	return hash_long(*digest, IMA_HASH_BITS);	172	return hash_long(*digest, IMA_HASH_BITS);
173	}	173	}
174		174
		175	#define __ima_hooks(hook) \
		176	hook(NONE) \
		177	hook(FILE_CHECK) \
		178	hook(MMAP_CHECK) \
		179	hook(BPRM_CHECK) \
		180	hook(POST_SETATTR) \
		181	hook(MODULE_CHECK) \
		182	hook(FIRMWARE_CHECK) \
		183	hook(KEXEC_KERNEL_CHECK) \
		184	hook(KEXEC_INITRAMFS_CHECK) \
		185	hook(POLICY_CHECK) \
		186	hook(MAX_CHECK)
		187	#define __ima_hook_enumify(ENUM) ENUM,
		188
175	enum ima_hooks {	189	enum ima_hooks {
176	FILE_CHECK = 1,	190	__ima_hooks(__ima_hook_enumify)
177	MMAP_CHECK,
178	BPRM_CHECK,
179	POST_SETATTR,
180	MODULE_CHECK,
181	FIRMWARE_CHECK,
182	KEXEC_KERNEL_CHECK,
183	KEXEC_INITRAMFS_CHECK,
184	POLICY_CHECK,
185	MAX_CHECK
186	};	191	};
187		192
188	/* LIM API function definitions */	193	/* LIM API function definitions */


diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 949ad3858327..f4436626ccb7 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -972,23 +972,10 @@ static const char *const mask_tokens[] = {
972	"MAY_APPEND"	972	"MAY_APPEND"
973	};	973	};
974		974
975	enum {	975	#define __ima_hook_stringify(str) (#str),
976	func_file = 0, func_mmap, func_bprm,
977	func_module, func_firmware, func_post,
978	func_kexec_kernel, func_kexec_initramfs,
979	func_policy
980	};
981		976
982	static const char *const func_tokens[] = {	977	static const char *const func_tokens[] = {
983	"FILE_CHECK",	978	__ima_hooks(__ima_hook_stringify)
984	"MMAP_CHECK",
985	"BPRM_CHECK",
986	"MODULE_CHECK",
987	"FIRMWARE_CHECK",
988	"POST_SETATTR",
989	"KEXEC_KERNEL_CHECK",
990	"KEXEC_INITRAMFS_CHECK",
991	"POLICY_CHECK"
992	};	979	};
993		980
994	void ima_policy_start(struct seq_file m, loff_t *pos)	981	void ima_policy_start(struct seq_file m, loff_t *pos)
@@ -1025,49 +1012,16 @@ void ima_policy_stop(struct seq_file m, void v)
1025		1012
1026	#define pt(token) policy_tokens[token + Opt_err].pattern	1013	#define pt(token) policy_tokens[token + Opt_err].pattern
1027	#define mt(token) mask_tokens[token]	1014	#define mt(token) mask_tokens[token]
1028	#define ft(token) func_tokens[token]
1029		1015
1030	/*	1016	/*
1031	* policy_func_show - display the ima_hooks policy rule	1017	* policy_func_show - display the ima_hooks policy rule
1032	*/	1018	*/
1033	static void policy_func_show(struct seq_file *m, enum ima_hooks func)	1019	static void policy_func_show(struct seq_file *m, enum ima_hooks func)
1034	{	1020	{
1035	char tbuf[64] = {0,};	1021	if (func > 0 && func < MAX_CHECK)
1036		1022	seq_printf(m, "func=%s ", func_tokens[func]);
1037	switch (func) {	1023	else
1038	case FILE_CHECK:	1024	seq_printf(m, "func=%d ", func);
1039	seq_printf(m, pt(Opt_func), ft(func_file));
1040	break;
1041	case MMAP_CHECK:
1042	seq_printf(m, pt(Opt_func), ft(func_mmap));
1043	break;
1044	case BPRM_CHECK:
1045	seq_printf(m, pt(Opt_func), ft(func_bprm));
1046	break;
1047	case MODULE_CHECK:
1048	seq_printf(m, pt(Opt_func), ft(func_module));
1049	break;
1050	case FIRMWARE_CHECK:
1051	seq_printf(m, pt(Opt_func), ft(func_firmware));
1052	break;
1053	case POST_SETATTR:
1054	seq_printf(m, pt(Opt_func), ft(func_post));
1055	break;
1056	case KEXEC_KERNEL_CHECK:
1057	seq_printf(m, pt(Opt_func), ft(func_kexec_kernel));
1058	break;
1059	case KEXEC_INITRAMFS_CHECK:
1060	seq_printf(m, pt(Opt_func), ft(func_kexec_initramfs));
1061	break;
1062	case POLICY_CHECK:
1063	seq_printf(m, pt(Opt_func), ft(func_policy));
1064	break;
1065	default:
1066	snprintf(tbuf, sizeof(tbuf), "%d", func);
1067	seq_printf(m, pt(Opt_func), tbuf);
1068	break;
1069	}
1070	seq_puts(m, " ");
1071	}	1025	}
1072		1026
1073	int ima_policy_show(struct seq_file m, void v)	1027	int ima_policy_show(struct seq_file m, void v)