aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2009-05-19 13:25:57 -0400
committerJames Morris <jmorris@namei.org>2009-05-21 19:43:41 -0400
commitb9fc745db833bbf74b4988493b8cd902a84c9415 (patch)
tree45a15174efb3b1c3dcbe5f0dc503e790c4f6fd70 /security
parent932995f0ce52525b32ff5127b522c2c164de3810 (diff)
integrity: path_check update
- Add support in ima_path_check() for integrity checking without incrementing the counts. (Required for nfsd.) - rename and export opencount_get to ima_counts_get - replace ima_shm_check calls with ima_counts_get - export ima_path_check Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_main.c48
1 files changed, 29 insertions, 19 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index c4228c0eb2d..a2eb23310ea 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -125,6 +125,15 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
125 return rc; 125 return rc;
126} 126}
127 127
128static void ima_update_counts(struct ima_iint_cache *iint, int mask)
129{
130 iint->opencount++;
131 if ((mask & MAY_WRITE) || (mask == 0))
132 iint->writecount++;
133 else if (mask & (MAY_READ | MAY_EXEC))
134 iint->readcount++;
135}
136
128/** 137/**
129 * ima_path_check - based on policy, collect/store measurement. 138 * ima_path_check - based on policy, collect/store measurement.
130 * @path: contains a pointer to the path to be measured 139 * @path: contains a pointer to the path to be measured
@@ -143,7 +152,7 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
143 * Return 0 on success, an error code on failure. 152 * Return 0 on success, an error code on failure.
144 * (Based on the results of appraise_measurement().) 153 * (Based on the results of appraise_measurement().)
145 */ 154 */
146int ima_path_check(struct path *path, int mask) 155int ima_path_check(struct path *path, int mask, int update_counts)
147{ 156{
148 struct inode *inode = path->dentry->d_inode; 157 struct inode *inode = path->dentry->d_inode;
149 struct ima_iint_cache *iint; 158 struct ima_iint_cache *iint;
@@ -157,11 +166,8 @@ int ima_path_check(struct path *path, int mask)
157 return 0; 166 return 0;
158 167
159 mutex_lock(&iint->mutex); 168 mutex_lock(&iint->mutex);
160 iint->opencount++; 169 if (update_counts)
161 if ((mask & MAY_WRITE) || (mask == 0)) 170 ima_update_counts(iint, mask);
162 iint->writecount++;
163 else if (mask & (MAY_READ | MAY_EXEC))
164 iint->readcount++;
165 171
166 rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); 172 rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
167 if (rc < 0) 173 if (rc < 0)
@@ -197,6 +203,7 @@ out:
197 kref_put(&iint->refcount, iint_free); 203 kref_put(&iint->refcount, iint_free);
198 return 0; 204 return 0;
199} 205}
206EXPORT_SYMBOL_GPL(ima_path_check);
200 207
201static int process_measurement(struct file *file, const unsigned char *filename, 208static int process_measurement(struct file *file, const unsigned char *filename,
202 int mask, int function) 209 int mask, int function)
@@ -225,7 +232,16 @@ out:
225 return rc; 232 return rc;
226} 233}
227 234
228static void opencount_get(struct file *file) 235/*
236 * ima_opens_get - increment file counts
237 *
238 * - for IPC shm and shmat file.
239 * - for nfsd exported files.
240 *
241 * Increment the counts for these files to prevent unnecessary
242 * imbalance messages.
243 */
244void ima_counts_get(struct file *file)
229{ 245{
230 struct inode *inode = file->f_dentry->d_inode; 246 struct inode *inode = file->f_dentry->d_inode;
231 struct ima_iint_cache *iint; 247 struct ima_iint_cache *iint;
@@ -237,8 +253,14 @@ static void opencount_get(struct file *file)
237 return; 253 return;
238 mutex_lock(&iint->mutex); 254 mutex_lock(&iint->mutex);
239 iint->opencount++; 255 iint->opencount++;
256 if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
257 iint->readcount++;
258
259 if (file->f_mode & FMODE_WRITE)
260 iint->writecount++;
240 mutex_unlock(&iint->mutex); 261 mutex_unlock(&iint->mutex);
241} 262}
263EXPORT_SYMBOL_GPL(ima_counts_get);
242 264
243/** 265/**
244 * ima_file_mmap - based on policy, collect/store measurement. 266 * ima_file_mmap - based on policy, collect/store measurement.
@@ -263,18 +285,6 @@ int ima_file_mmap(struct file *file, unsigned long prot)
263 return 0; 285 return 0;
264} 286}
265 287
266/*
267 * ima_shm_check - IPC shm and shmat create/fput a file
268 *
269 * Maintain the opencount for these files to prevent unnecessary
270 * imbalance messages.
271 */
272void ima_shm_check(struct file *file)
273{
274 opencount_get(file);
275 return;
276}
277
278/** 288/**
279 * ima_bprm_check - based on policy, collect/store measurement. 289 * ima_bprm_check - based on policy, collect/store measurement.
280 * @bprm: contains the linux_binprm structure 290 * @bprm: contains the linux_binprm structure