diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2010-01-26 17:02:41 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2010-02-07 03:06:23 -0500 |
commit | 1e93d0052d9a6b3d0b382eedceb18b519d603baf (patch) | |
tree | b47cb67cdfd98e257c4d7fb7ed75f6930a1bf005 | |
parent | 9bbb6cad0173e6220f3ac609e26beb48dab3b7cd (diff) |
ima: rename PATH_CHECK to FILE_CHECK
With the movement of the ima hooks functions were renamed from *path* to
*file* since they always deal with struct file. This patch renames some of
the ima internal flags to make them consistent with the rest of the code.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | Documentation/ABI/testing/ima_policy | 12 | ||||
-rw-r--r-- | security/integrity/ima/ima.h | 2 | ||||
-rw-r--r-- | security/integrity/ima/ima_api.c | 4 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 4 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 9 |
5 files changed, 17 insertions, 14 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 6434f0df012..6cd6daefaae 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy | |||
@@ -20,7 +20,7 @@ Description: | |||
20 | lsm: [[subj_user=] [subj_role=] [subj_type=] | 20 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
21 | [obj_user=] [obj_role=] [obj_type=]] | 21 | [obj_user=] [obj_role=] [obj_type=]] |
22 | 22 | ||
23 | base: func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION] | 23 | base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK] |
24 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] | 24 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] |
25 | fsmagic:= hex value | 25 | fsmagic:= hex value |
26 | uid:= decimal value | 26 | uid:= decimal value |
@@ -40,11 +40,11 @@ Description: | |||
40 | 40 | ||
41 | measure func=BPRM_CHECK | 41 | measure func=BPRM_CHECK |
42 | measure func=FILE_MMAP mask=MAY_EXEC | 42 | measure func=FILE_MMAP mask=MAY_EXEC |
43 | measure func=INODE_PERM mask=MAY_READ uid=0 | 43 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
44 | 44 | ||
45 | The default policy measures all executables in bprm_check, | 45 | The default policy measures all executables in bprm_check, |
46 | all files mmapped executable in file_mmap, and all files | 46 | all files mmapped executable in file_mmap, and all files |
47 | open for read by root in inode_permission. | 47 | open for read by root in do_filp_open. |
48 | 48 | ||
49 | Examples of LSM specific definitions: | 49 | Examples of LSM specific definitions: |
50 | 50 | ||
@@ -54,8 +54,8 @@ Description: | |||
54 | 54 | ||
55 | dont_measure obj_type=var_log_t | 55 | dont_measure obj_type=var_log_t |
56 | dont_measure obj_type=auditd_log_t | 56 | dont_measure obj_type=auditd_log_t |
57 | measure subj_user=system_u func=INODE_PERM mask=MAY_READ | 57 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
58 | measure subj_role=system_r func=INODE_PERM mask=MAY_READ | 58 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ |
59 | 59 | ||
60 | Smack: | 60 | Smack: |
61 | measure subj_user=_ func=INODE_PERM mask=MAY_READ | 61 | measure subj_user=_ func=FILE_CHECK mask=MAY_READ |
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index aa25a7eb2d0..47fb65d1fcb 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
@@ -130,7 +130,7 @@ void iint_free(struct kref *kref); | |||
130 | void iint_rcu_free(struct rcu_head *rcu); | 130 | void iint_rcu_free(struct rcu_head *rcu); |
131 | 131 | ||
132 | /* IMA policy related functions */ | 132 | /* IMA policy related functions */ |
133 | enum ima_hooks { PATH_CHECK = 1, FILE_MMAP, BPRM_CHECK }; | 133 | enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK }; |
134 | 134 | ||
135 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask); | 135 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask); |
136 | void ima_init_policy(void); | 136 | void ima_init_policy(void); |
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 3cd58b60afd..2a5e0bcf388 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
@@ -95,12 +95,12 @@ err_out: | |||
95 | * ima_must_measure - measure decision based on policy. | 95 | * ima_must_measure - measure decision based on policy. |
96 | * @inode: pointer to inode to measure | 96 | * @inode: pointer to inode to measure |
97 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) | 97 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) |
98 | * @function: calling function (PATH_CHECK, BPRM_CHECK, FILE_MMAP) | 98 | * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP) |
99 | * | 99 | * |
100 | * The policy is defined in terms of keypairs: | 100 | * The policy is defined in terms of keypairs: |
101 | * subj=, obj=, type=, func=, mask=, fsmagic= | 101 | * subj=, obj=, type=, func=, mask=, fsmagic= |
102 | * subj,obj, and type: are LSM specific. | 102 | * subj,obj, and type: are LSM specific. |
103 | * func: PATH_CHECK | BPRM_CHECK | FILE_MMAP | 103 | * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP |
104 | * mask: contains the permission mask | 104 | * mask: contains the permission mask |
105 | * fsmagic: hex value | 105 | * fsmagic: hex value |
106 | * | 106 | * |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b76e1f03ea2..294b005d652 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
@@ -153,7 +153,7 @@ void ima_counts_get(struct file *file) | |||
153 | if (!iint) | 153 | if (!iint) |
154 | return; | 154 | return; |
155 | mutex_lock(&iint->mutex); | 155 | mutex_lock(&iint->mutex); |
156 | rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); | 156 | rc = ima_must_measure(iint, inode, MAY_READ, FILE_CHECK); |
157 | if (rc < 0) | 157 | if (rc < 0) |
158 | goto out; | 158 | goto out; |
159 | 159 | ||
@@ -312,7 +312,7 @@ int ima_file_check(struct file *file, int mask) | |||
312 | 312 | ||
313 | rc = process_measurement(file, file->f_dentry->d_name.name, | 313 | rc = process_measurement(file, file->f_dentry->d_name.name, |
314 | mask & (MAY_READ | MAY_WRITE | MAY_EXEC), | 314 | mask & (MAY_READ | MAY_WRITE | MAY_EXEC), |
315 | PATH_CHECK); | 315 | FILE_CHECK); |
316 | return 0; | 316 | return 0; |
317 | } | 317 | } |
318 | EXPORT_SYMBOL_GPL(ima_file_check); | 318 | EXPORT_SYMBOL_GPL(ima_file_check); |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e1278399b34..4759d0f9933 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
@@ -67,7 +67,7 @@ static struct ima_measure_rule_entry default_rules[] = { | |||
67 | .flags = IMA_FUNC | IMA_MASK}, | 67 | .flags = IMA_FUNC | IMA_MASK}, |
68 | {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, | 68 | {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, |
69 | .flags = IMA_FUNC | IMA_MASK}, | 69 | .flags = IMA_FUNC | IMA_MASK}, |
70 | {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0, | 70 | {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0, |
71 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, | 71 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, |
72 | }; | 72 | }; |
73 | 73 | ||
@@ -282,8 +282,11 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) | |||
282 | break; | 282 | break; |
283 | case Opt_func: | 283 | case Opt_func: |
284 | audit_log_format(ab, "func=%s ", args[0].from); | 284 | audit_log_format(ab, "func=%s ", args[0].from); |
285 | if (strcmp(args[0].from, "PATH_CHECK") == 0) | 285 | if (strcmp(args[0].from, "FILE_CHECK") == 0) |
286 | entry->func = PATH_CHECK; | 286 | entry->func = FILE_CHECK; |
287 | /* PATH_CHECK is for backwards compat */ | ||
288 | else if (strcmp(args[0].from, "PATH_CHECK") == 0) | ||
289 | entry->func = FILE_CHECK; | ||
287 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) | 290 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) |
288 | entry->func = FILE_MMAP; | 291 | entry->func = FILE_MMAP; |
289 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) | 292 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) |