diff options
| author | James Morris <jmorris@namei.org> | 2011-08-08 20:31:03 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-08-08 20:31:03 -0400 |
| commit | 5a2f3a02aea164f4f59c0c3497772090a411b462 (patch) | |
| tree | d3ebe03d4f97575290087843960baa01de3acd0a /security/security.c | |
| parent | 1d568ab068c021672d6cd7f50f92a3695a921ffb (diff) | |
| parent | 817b54aa45db03437c6d09a7693fc6926eb8e822 (diff) | |
Merge branch 'next-evm' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next
Conflicts:
fs/attr.c
Resolve conflict manually.
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 71 |
1 files changed, 64 insertions, 7 deletions
diff --git a/security/security.c b/security/security.c index 0e4fccfef12c..a6328421a055 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -16,7 +16,11 @@ | |||
| 16 | #include <linux/init.h> | 16 | #include <linux/init.h> |
| 17 | #include <linux/kernel.h> | 17 | #include <linux/kernel.h> |
| 18 | #include <linux/security.h> | 18 | #include <linux/security.h> |
| 19 | #include <linux/integrity.h> | ||
| 19 | #include <linux/ima.h> | 20 | #include <linux/ima.h> |
| 21 | #include <linux/evm.h> | ||
| 22 | |||
| 23 | #define MAX_LSM_EVM_XATTR 2 | ||
| 20 | 24 | ||
| 21 | /* Boot-time LSM user choice */ | 25 | /* Boot-time LSM user choice */ |
| 22 | static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = | 26 | static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = |
| @@ -334,20 +338,57 @@ int security_inode_alloc(struct inode *inode) | |||
| 334 | 338 | ||
| 335 | void security_inode_free(struct inode *inode) | 339 | void security_inode_free(struct inode *inode) |
| 336 | { | 340 | { |
| 337 | ima_inode_free(inode); | 341 | integrity_inode_free(inode); |
| 338 | security_ops->inode_free_security(inode); | 342 | security_ops->inode_free_security(inode); |
| 339 | } | 343 | } |
| 340 | 344 | ||
| 341 | int security_inode_init_security(struct inode *inode, struct inode *dir, | 345 | int security_inode_init_security(struct inode *inode, struct inode *dir, |
| 342 | const struct qstr *qstr, char **name, | 346 | const struct qstr *qstr, |
| 343 | void **value, size_t *len) | 347 | const initxattrs initxattrs, void *fs_data) |
| 348 | { | ||
| 349 | struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1]; | ||
| 350 | struct xattr *lsm_xattr, *evm_xattr, *xattr; | ||
| 351 | int ret; | ||
| 352 | |||
| 353 | if (unlikely(IS_PRIVATE(inode))) | ||
| 354 | return -EOPNOTSUPP; | ||
| 355 | |||
| 356 | memset(new_xattrs, 0, sizeof new_xattrs); | ||
| 357 | if (!initxattrs) | ||
| 358 | return security_ops->inode_init_security(inode, dir, qstr, | ||
| 359 | NULL, NULL, NULL); | ||
| 360 | lsm_xattr = new_xattrs; | ||
| 361 | ret = security_ops->inode_init_security(inode, dir, qstr, | ||
| 362 | &lsm_xattr->name, | ||
| 363 | &lsm_xattr->value, | ||
| 364 | &lsm_xattr->value_len); | ||
| 365 | if (ret) | ||
| 366 | goto out; | ||
| 367 | |||
| 368 | evm_xattr = lsm_xattr + 1; | ||
| 369 | ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr); | ||
| 370 | if (ret) | ||
| 371 | goto out; | ||
| 372 | ret = initxattrs(inode, new_xattrs, fs_data); | ||
| 373 | out: | ||
| 374 | for (xattr = new_xattrs; xattr->name != NULL; xattr++) { | ||
| 375 | kfree(xattr->name); | ||
| 376 | kfree(xattr->value); | ||
| 377 | } | ||
| 378 | return (ret == -EOPNOTSUPP) ? 0 : ret; | ||
| 379 | } | ||
| 380 | EXPORT_SYMBOL(security_inode_init_security); | ||
| 381 | |||
| 382 | int security_old_inode_init_security(struct inode *inode, struct inode *dir, | ||
| 383 | const struct qstr *qstr, char **name, | ||
| 384 | void **value, size_t *len) | ||
| 344 | { | 385 | { |
| 345 | if (unlikely(IS_PRIVATE(inode))) | 386 | if (unlikely(IS_PRIVATE(inode))) |
| 346 | return -EOPNOTSUPP; | 387 | return -EOPNOTSUPP; |
| 347 | return security_ops->inode_init_security(inode, dir, qstr, name, value, | 388 | return security_ops->inode_init_security(inode, dir, qstr, name, value, |
| 348 | len); | 389 | len); |
| 349 | } | 390 | } |
| 350 | EXPORT_SYMBOL(security_inode_init_security); | 391 | EXPORT_SYMBOL(security_old_inode_init_security); |
| 351 | 392 | ||
| 352 | #ifdef CONFIG_SECURITY_PATH | 393 | #ifdef CONFIG_SECURITY_PATH |
| 353 | int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, | 394 | int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, |
| @@ -523,9 +564,14 @@ int security_inode_permission(struct inode *inode, int mask) | |||
| 523 | 564 | ||
| 524 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) | 565 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) |
| 525 | { | 566 | { |
| 567 | int ret; | ||
| 568 | |||
| 526 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | 569 | if (unlikely(IS_PRIVATE(dentry->d_inode))) |
| 527 | return 0; | 570 | return 0; |
| 528 | return security_ops->inode_setattr(dentry, attr); | 571 | ret = security_ops->inode_setattr(dentry, attr); |
| 572 | if (ret) | ||
| 573 | return ret; | ||
| 574 | return evm_inode_setattr(dentry, attr); | ||
| 529 | } | 575 | } |
| 530 | EXPORT_SYMBOL_GPL(security_inode_setattr); | 576 | EXPORT_SYMBOL_GPL(security_inode_setattr); |
| 531 | 577 | ||
| @@ -539,9 +585,14 @@ int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | |||
| 539 | int security_inode_setxattr(struct dentry *dentry, const char *name, | 585 | int security_inode_setxattr(struct dentry *dentry, const char *name, |
| 540 | const void *value, size_t size, int flags) | 586 | const void *value, size_t size, int flags) |
| 541 | { | 587 | { |
| 588 | int ret; | ||
| 589 | |||
| 542 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | 590 | if (unlikely(IS_PRIVATE(dentry->d_inode))) |
| 543 | return 0; | 591 | return 0; |
| 544 | return security_ops->inode_setxattr(dentry, name, value, size, flags); | 592 | ret = security_ops->inode_setxattr(dentry, name, value, size, flags); |
| 593 | if (ret) | ||
| 594 | return ret; | ||
| 595 | return evm_inode_setxattr(dentry, name, value, size); | ||
| 545 | } | 596 | } |
| 546 | 597 | ||
| 547 | void security_inode_post_setxattr(struct dentry *dentry, const char *name, | 598 | void security_inode_post_setxattr(struct dentry *dentry, const char *name, |
| @@ -550,6 +601,7 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name, | |||
| 550 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | 601 | if (unlikely(IS_PRIVATE(dentry->d_inode))) |
| 551 | return; | 602 | return; |
| 552 | security_ops->inode_post_setxattr(dentry, name, value, size, flags); | 603 | security_ops->inode_post_setxattr(dentry, name, value, size, flags); |
| 604 | evm_inode_post_setxattr(dentry, name, value, size); | ||
| 553 | } | 605 | } |
| 554 | 606 | ||
| 555 | int security_inode_getxattr(struct dentry *dentry, const char *name) | 607 | int security_inode_getxattr(struct dentry *dentry, const char *name) |
| @@ -568,9 +620,14 @@ int security_inode_listxattr(struct dentry *dentry) | |||
| 568 | 620 | ||
| 569 | int security_inode_removexattr(struct dentry *dentry, const char *name) | 621 | int security_inode_removexattr(struct dentry *dentry, const char *name) |
| 570 | { | 622 | { |
| 623 | int ret; | ||
| 624 | |||
| 571 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | 625 | if (unlikely(IS_PRIVATE(dentry->d_inode))) |
| 572 | return 0; | 626 | return 0; |
| 573 | return security_ops->inode_removexattr(dentry, name); | 627 | ret = security_ops->inode_removexattr(dentry, name); |
| 628 | if (ret) | ||
| 629 | return ret; | ||
| 630 | return evm_inode_removexattr(dentry, name); | ||
| 574 | } | 631 | } |
| 575 | 632 | ||
| 576 | int security_inode_need_killpriv(struct dentry *dentry) | 633 | int security_inode_need_killpriv(struct dentry *dentry) |