aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2011-03-09 14:13:22 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2011-07-18 12:29:38 -0400
commitf381c272224f5f158f5cff64f8f3481fa0eee8b3 (patch)
treea003dc4c6635c9d2fa90f31577ba5e7ea7bc71b1
parent9d8f13ba3f4833219e50767b022b82cd0da930eb (diff)
integrity: move ima inode integrity data management
Move the inode integrity data(iint) management up to the integrity directory in order to share the iint among the different integrity models. Changelog: - don't define MAX_DIGEST_SIZE - rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_' - replace '20' with SHA1_DIGEST_SIZE - reflect location change in appropriate Kconfig and Makefiles - remove unnecessary initialization of iint_initialized to 0 - rebased on current ima_iint.c - define integrity_iint_store/lock as static There should be no other functional changes. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
-rw-r--r--include/linux/ima.h13
-rw-r--r--include/linux/integrity.h30
-rw-r--r--security/Kconfig2
-rw-r--r--security/Makefile4
-rw-r--r--security/integrity/Kconfig6
-rw-r--r--security/integrity/Makefile10
-rw-r--r--security/integrity/iint.c170
-rw-r--r--security/integrity/ima/Kconfig1
-rw-r--r--security/integrity/ima/Makefile2
-rw-r--r--security/integrity/ima/ima.h29
-rw-r--r--security/integrity/ima/ima_api.c7
-rw-r--r--security/integrity/ima/ima_iint.c169
-rw-r--r--security/integrity/ima/ima_main.c12
-rw-r--r--security/integrity/integrity.h35
-rw-r--r--security/security.c3
15 files changed, 277 insertions, 216 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 09e6e62f9953..6ac8e50c6cf5 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -15,8 +15,6 @@ struct linux_binprm;
15 15
16#ifdef CONFIG_IMA 16#ifdef CONFIG_IMA
17extern int ima_bprm_check(struct linux_binprm *bprm); 17extern int ima_bprm_check(struct linux_binprm *bprm);
18extern int ima_inode_alloc(struct inode *inode);
19extern void ima_inode_free(struct inode *inode);
20extern int ima_file_check(struct file *file, int mask); 18extern int ima_file_check(struct file *file, int mask);
21extern void ima_file_free(struct file *file); 19extern void ima_file_free(struct file *file);
22extern int ima_file_mmap(struct file *file, unsigned long prot); 20extern int ima_file_mmap(struct file *file, unsigned long prot);
@@ -27,16 +25,6 @@ static inline int ima_bprm_check(struct linux_binprm *bprm)
27 return 0; 25 return 0;
28} 26}
29 27
30static inline int ima_inode_alloc(struct inode *inode)
31{
32 return 0;
33}
34
35static inline void ima_inode_free(struct inode *inode)
36{
37 return;
38}
39
40static inline int ima_file_check(struct file *file, int mask) 28static inline int ima_file_check(struct file *file, int mask)
41{ 29{
42 return 0; 30 return 0;
@@ -51,6 +39,5 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
51{ 39{
52 return 0; 40 return 0;
53} 41}
54
55#endif /* CONFIG_IMA_H */ 42#endif /* CONFIG_IMA_H */
56#endif /* _LINUX_IMA_H */ 43#endif /* _LINUX_IMA_H */
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
new file mode 100644
index 000000000000..905981247327
--- /dev/null
+++ b/include/linux/integrity.h
@@ -0,0 +1,30 @@
1/*
2 * Copyright (C) 2009 IBM Corporation
3 * Author: Mimi Zohar <zohar@us.ibm.com>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2 of the License.
8 */
9
10#ifndef _LINUX_INTEGRITY_H
11#define _LINUX_INTEGRITY_H
12
13#include <linux/fs.h>
14
15#ifdef CONFIG_INTEGRITY
16extern int integrity_inode_alloc(struct inode *inode);
17extern void integrity_inode_free(struct inode *inode);
18
19#else
20static inline int integrity_inode_alloc(struct inode *inode)
21{
22 return 0;
23}
24
25static inline void integrity_inode_free(struct inode *inode)
26{
27 return;
28}
29#endif /* CONFIG_INTEGRITY_H */
30#endif /* _LINUX_INTEGRITY_H */
diff --git a/security/Kconfig b/security/Kconfig
index e0f08b52e4ab..22847a889081 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -186,7 +186,7 @@ source security/smack/Kconfig
186source security/tomoyo/Kconfig 186source security/tomoyo/Kconfig
187source security/apparmor/Kconfig 187source security/apparmor/Kconfig
188 188
189source security/integrity/ima/Kconfig 189source security/integrity/Kconfig
190 190
191choice 191choice
192 prompt "Default security module" 192 prompt "Default security module"
diff --git a/security/Makefile b/security/Makefile
index 8bb0fe9e1ca9..a5e502f8a05b 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -24,5 +24,5 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o
24obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o 24obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
25 25
26# Object integrity file lists 26# Object integrity file lists
27subdir-$(CONFIG_IMA) += integrity/ima 27subdir-$(CONFIG_INTEGRITY) += integrity
28obj-$(CONFIG_IMA) += integrity/ima/built-in.o 28obj-$(CONFIG_INTEGRITY) += integrity/built-in.o
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
new file mode 100644
index 000000000000..270469155681
--- /dev/null
+++ b/security/integrity/Kconfig
@@ -0,0 +1,6 @@
1#
2config INTEGRITY
3 def_bool y
4 depends on IMA
5
6source security/integrity/ima/Kconfig
diff --git a/security/integrity/Makefile b/security/integrity/Makefile
new file mode 100644
index 000000000000..6eddd61b84e8
--- /dev/null
+++ b/security/integrity/Makefile
@@ -0,0 +1,10 @@
1#
2# Makefile for caching inode integrity data (iint)
3#
4
5obj-$(CONFIG_INTEGRITY) += integrity.o
6
7integrity-y := iint.o
8
9subdir-$(CONFIG_IMA) += ima
10obj-$(CONFIG_IMA) += ima/built-in.o
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
new file mode 100644
index 000000000000..d17de48bd6cc
--- /dev/null
+++ b/security/integrity/iint.c
@@ -0,0 +1,170 @@
1/*
2 * Copyright (C) 2008 IBM Corporation
3 *
4 * Authors:
5 * Mimi Zohar <zohar@us.ibm.com>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: integrity_iint.c
13 * - implements the integrity hooks: integrity_inode_alloc,
14 * integrity_inode_free
15 * - cache integrity information associated with an inode
16 * using a rbtree tree.
17 */
18#include <linux/slab.h>
19#include <linux/module.h>
20#include <linux/spinlock.h>
21#include <linux/rbtree.h>
22#include "integrity.h"
23
24static struct rb_root integrity_iint_tree = RB_ROOT;
25static DEFINE_SPINLOCK(integrity_iint_lock);
26static struct kmem_cache *iint_cache __read_mostly;
27
28int iint_initialized;
29
30/*
31 * __integrity_iint_find - return the iint associated with an inode
32 */
33static struct integrity_iint_cache *__integrity_iint_find(struct inode *inode)
34{
35 struct integrity_iint_cache *iint;
36 struct rb_node *n = integrity_iint_tree.rb_node;
37
38 assert_spin_locked(&integrity_iint_lock);
39
40 while (n) {
41 iint = rb_entry(n, struct integrity_iint_cache, rb_node);
42
43 if (inode < iint->inode)
44 n = n->rb_left;
45 else if (inode > iint->inode)
46 n = n->rb_right;
47 else
48 break;
49 }
50 if (!n)
51 return NULL;
52
53 return iint;
54}
55
56/*
57 * integrity_iint_find - return the iint associated with an inode
58 */
59struct integrity_iint_cache *integrity_iint_find(struct inode *inode)
60{
61 struct integrity_iint_cache *iint;
62
63 if (!IS_IMA(inode))
64 return NULL;
65
66 spin_lock(&integrity_iint_lock);
67 iint = __integrity_iint_find(inode);
68 spin_unlock(&integrity_iint_lock);
69
70 return iint;
71}
72
73static void iint_free(struct integrity_iint_cache *iint)
74{
75 iint->version = 0;
76 iint->flags = 0UL;
77 kmem_cache_free(iint_cache, iint);
78}
79
80/**
81 * integrity_inode_alloc - allocate an iint associated with an inode
82 * @inode: pointer to the inode
83 */
84int integrity_inode_alloc(struct inode *inode)
85{
86 struct rb_node **p;
87 struct rb_node *new_node, *parent = NULL;
88 struct integrity_iint_cache *new_iint, *test_iint;
89 int rc;
90
91 new_iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
92 if (!new_iint)
93 return -ENOMEM;
94
95 new_iint->inode = inode;
96 new_node = &new_iint->rb_node;
97
98 mutex_lock(&inode->i_mutex); /* i_flags */
99 spin_lock(&integrity_iint_lock);
100
101 p = &integrity_iint_tree.rb_node;
102 while (*p) {
103 parent = *p;
104 test_iint = rb_entry(parent, struct integrity_iint_cache,
105 rb_node);
106 rc = -EEXIST;
107 if (inode < test_iint->inode)
108 p = &(*p)->rb_left;
109 else if (inode > test_iint->inode)
110 p = &(*p)->rb_right;
111 else
112 goto out_err;
113 }
114
115 inode->i_flags |= S_IMA;
116 rb_link_node(new_node, parent, p);
117 rb_insert_color(new_node, &integrity_iint_tree);
118
119 spin_unlock(&integrity_iint_lock);
120 mutex_unlock(&inode->i_mutex); /* i_flags */
121
122 return 0;
123out_err:
124 spin_unlock(&integrity_iint_lock);
125 mutex_unlock(&inode->i_mutex); /* i_flags */
126 iint_free(new_iint);
127
128 return rc;
129}
130
131/**
132 * integrity_inode_free - called on security_inode_free
133 * @inode: pointer to the inode
134 *
135 * Free the integrity information(iint) associated with an inode.
136 */
137void integrity_inode_free(struct inode *inode)
138{
139 struct integrity_iint_cache *iint;
140
141 if (!IS_IMA(inode))
142 return;
143
144 spin_lock(&integrity_iint_lock);
145 iint = __integrity_iint_find(inode);
146 rb_erase(&iint->rb_node, &integrity_iint_tree);
147 spin_unlock(&integrity_iint_lock);
148
149 iint_free(iint);
150}
151
152static void init_once(void *foo)
153{
154 struct integrity_iint_cache *iint = foo;
155
156 memset(iint, 0, sizeof *iint);
157 iint->version = 0;
158 iint->flags = 0UL;
159 mutex_init(&iint->mutex);
160}
161
162static int __init integrity_iintcache_init(void)
163{
164 iint_cache =
165 kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache),
166 0, SLAB_PANIC, init_once);
167 iint_initialized = 1;
168 return 0;
169}
170security_initcall(integrity_iintcache_init);
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index b6ecfd4d8d78..19c053b82303 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -3,6 +3,7 @@
3config IMA 3config IMA
4 bool "Integrity Measurement Architecture(IMA)" 4 bool "Integrity Measurement Architecture(IMA)"
5 depends on SECURITY 5 depends on SECURITY
6 select INTEGRITY
6 select SECURITYFS 7 select SECURITYFS
7 select CRYPTO 8 select CRYPTO
8 select CRYPTO_HMAC 9 select CRYPTO_HMAC
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 787c4cb916cd..5690c021de8f 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -6,4 +6,4 @@
6obj-$(CONFIG_IMA) += ima.o 6obj-$(CONFIG_IMA) += ima.o
7 7
8ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ 8ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
9 ima_policy.o ima_iint.o ima_audit.o 9 ima_policy.o ima_audit.o
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 08408bd71462..29d97af5e9a4 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -24,11 +24,13 @@
24#include <linux/tpm.h> 24#include <linux/tpm.h>
25#include <linux/audit.h> 25#include <linux/audit.h>
26 26
27#include "../integrity.h"
28
27enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII }; 29enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII };
28enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; 30enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
29 31
30/* digest size for IMA, fits SHA1 or MD5 */ 32/* digest size for IMA, fits SHA1 or MD5 */
31#define IMA_DIGEST_SIZE 20 33#define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE
32#define IMA_EVENT_NAME_LEN_MAX 255 34#define IMA_EVENT_NAME_LEN_MAX 255
33 35
34#define IMA_HASH_BITS 9 36#define IMA_HASH_BITS 9
@@ -96,34 +98,21 @@ static inline unsigned long ima_hash_key(u8 *digest)
96 return hash_long(*digest, IMA_HASH_BITS); 98 return hash_long(*digest, IMA_HASH_BITS);
97} 99}
98 100
99/* iint cache flags */
100#define IMA_MEASURED 0x01
101
102/* integrity data associated with an inode */
103struct ima_iint_cache {
104 struct rb_node rb_node; /* rooted in ima_iint_tree */
105 struct inode *inode; /* back pointer to inode in question */
106 u64 version; /* track inode changes */
107 unsigned char flags;
108 u8 digest[IMA_DIGEST_SIZE];
109 struct mutex mutex; /* protects: version, flags, digest */
110};
111
112/* LIM API function definitions */ 101/* LIM API function definitions */
113int ima_must_measure(struct inode *inode, int mask, int function); 102int ima_must_measure(struct inode *inode, int mask, int function);
114int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file); 103int ima_collect_measurement(struct integrity_iint_cache *iint,
115void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, 104 struct file *file);
105void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
116 const unsigned char *filename); 106 const unsigned char *filename);
117int ima_store_template(struct ima_template_entry *entry, int violation, 107int ima_store_template(struct ima_template_entry *entry, int violation,
118 struct inode *inode); 108 struct inode *inode);
119void ima_template_show(struct seq_file *m, void *e, 109void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show);
120 enum ima_show_type show);
121 110
122/* rbtree tree calls to lookup, insert, delete 111/* rbtree tree calls to lookup, insert, delete
123 * integrity data associated with an inode. 112 * integrity data associated with an inode.
124 */ 113 */
125struct ima_iint_cache *ima_iint_insert(struct inode *inode); 114struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
126struct ima_iint_cache *ima_iint_find(struct inode *inode); 115struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
127 116
128/* IMA policy related functions */ 117/* IMA policy related functions */
129enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK }; 118enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK };
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index da36d2c085a4..0d50df04ccc4 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -126,7 +126,8 @@ int ima_must_measure(struct inode *inode, int mask, int function)
126 * 126 *
127 * Return 0 on success, error code otherwise 127 * Return 0 on success, error code otherwise
128 */ 128 */
129int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file) 129int ima_collect_measurement(struct integrity_iint_cache *iint,
130 struct file *file)
130{ 131{
131 int result = -EEXIST; 132 int result = -EEXIST;
132 133
@@ -156,8 +157,8 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file)
156 * 157 *
157 * Must be called with iint->mutex held. 158 * Must be called with iint->mutex held.
158 */ 159 */
159void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, 160void ima_store_measurement(struct integrity_iint_cache *iint,
160 const unsigned char *filename) 161 struct file *file, const unsigned char *filename)
161{ 162{
162 const char *op = "add_template_measure"; 163 const char *op = "add_template_measure";
163 const char *audit_cause = "ENOMEM"; 164 const char *audit_cause = "ENOMEM";
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
deleted file mode 100644
index 4ae73040ab7b..000000000000
--- a/security/integrity/ima/ima_iint.c
+++ /dev/null
@@ -1,169 +0,0 @@
1/*
2 * Copyright (C) 2008 IBM Corporation
3 *
4 * Authors:
5 * Mimi Zohar <zohar@us.ibm.com>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_iint.c
13 * - implements the IMA hooks: ima_inode_alloc, ima_inode_free
14 * - cache integrity information associated with an inode
15 * using a rbtree tree.
16 */
17#include <linux/slab.h>
18#include <linux/module.h>
19#include <linux/spinlock.h>
20#include <linux/rbtree.h>
21#include "ima.h"
22
23static struct rb_root ima_iint_tree = RB_ROOT;
24static DEFINE_SPINLOCK(ima_iint_lock);
25static struct kmem_cache *iint_cache __read_mostly;
26
27int iint_initialized = 0;
28
29/*
30 * __ima_iint_find - return the iint associated with an inode
31 */
32static struct ima_iint_cache *__ima_iint_find(struct inode *inode)
33{
34 struct ima_iint_cache *iint;
35 struct rb_node *n = ima_iint_tree.rb_node;
36
37 assert_spin_locked(&ima_iint_lock);
38
39 while (n) {
40 iint = rb_entry(n, struct ima_iint_cache, rb_node);
41
42 if (inode < iint->inode)
43 n = n->rb_left;
44 else if (inode > iint->inode)
45 n = n->rb_right;
46 else
47 break;
48 }
49 if (!n)
50 return NULL;
51
52 return iint;
53}
54
55/*
56 * ima_iint_find - return the iint associated with an inode
57 */
58struct ima_iint_cache *ima_iint_find(struct inode *inode)
59{
60 struct ima_iint_cache *iint;
61
62 if (!IS_IMA(inode))
63 return NULL;
64
65 spin_lock(&ima_iint_lock);
66 iint = __ima_iint_find(inode);
67 spin_unlock(&ima_iint_lock);
68
69 return iint;
70}
71
72static void iint_free(struct ima_iint_cache *iint)
73{
74 iint->version = 0;
75 iint->flags = 0UL;
76 kmem_cache_free(iint_cache, iint);
77}
78
79/**
80 * ima_inode_alloc - allocate an iint associated with an inode
81 * @inode: pointer to the inode
82 */
83int ima_inode_alloc(struct inode *inode)
84{
85 struct rb_node **p;
86 struct rb_node *new_node, *parent = NULL;
87 struct ima_iint_cache *new_iint, *test_iint;
88 int rc;
89
90 new_iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
91 if (!new_iint)
92 return -ENOMEM;
93
94 new_iint->inode = inode;
95 new_node = &new_iint->rb_node;
96
97 mutex_lock(&inode->i_mutex); /* i_flags */
98 spin_lock(&ima_iint_lock);
99
100 p = &ima_iint_tree.rb_node;
101 while (*p) {
102 parent = *p;
103 test_iint = rb_entry(parent, struct ima_iint_cache, rb_node);
104
105 rc = -EEXIST;
106 if (inode < test_iint->inode)
107 p = &(*p)->rb_left;
108 else if (inode > test_iint->inode)
109 p = &(*p)->rb_right;
110 else
111 goto out_err;
112 }
113
114 inode->i_flags |= S_IMA;
115 rb_link_node(new_node, parent, p);
116 rb_insert_color(new_node, &ima_iint_tree);
117
118 spin_unlock(&ima_iint_lock);
119 mutex_unlock(&inode->i_mutex); /* i_flags */
120
121 return 0;
122out_err:
123 spin_unlock(&ima_iint_lock);
124 mutex_unlock(&inode->i_mutex); /* i_flags */
125 iint_free(new_iint);
126
127 return rc;
128}
129
130/**
131 * ima_inode_free - called on security_inode_free
132 * @inode: pointer to the inode
133 *
134 * Free the integrity information(iint) associated with an inode.
135 */
136void ima_inode_free(struct inode *inode)
137{
138 struct ima_iint_cache *iint;
139
140 if (!IS_IMA(inode))
141 return;
142
143 spin_lock(&ima_iint_lock);
144 iint = __ima_iint_find(inode);
145 rb_erase(&iint->rb_node, &ima_iint_tree);
146 spin_unlock(&ima_iint_lock);
147
148 iint_free(iint);
149}
150
151static void init_once(void *foo)
152{
153 struct ima_iint_cache *iint = foo;
154
155 memset(iint, 0, sizeof *iint);
156 iint->version = 0;
157 iint->flags = 0UL;
158 mutex_init(&iint->mutex);
159}
160
161static int __init ima_iintcache_init(void)
162{
163 iint_cache =
164 kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
165 SLAB_PANIC, init_once);
166 iint_initialized = 1;
167 return 0;
168}
169security_initcall(ima_iintcache_init);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 39d66dc2b8e9..25f9fe762896 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -82,7 +82,7 @@ out:
82 "open_writers"); 82 "open_writers");
83} 83}
84 84
85static void ima_check_last_writer(struct ima_iint_cache *iint, 85static void ima_check_last_writer(struct integrity_iint_cache *iint,
86 struct inode *inode, 86 struct inode *inode,
87 struct file *file) 87 struct file *file)
88{ 88{
@@ -105,12 +105,12 @@ static void ima_check_last_writer(struct ima_iint_cache *iint,
105void ima_file_free(struct file *file) 105void ima_file_free(struct file *file)
106{ 106{
107 struct inode *inode = file->f_dentry->d_inode; 107 struct inode *inode = file->f_dentry->d_inode;
108 struct ima_iint_cache *iint; 108 struct integrity_iint_cache *iint;
109 109
110 if (!iint_initialized || !S_ISREG(inode->i_mode)) 110 if (!iint_initialized || !S_ISREG(inode->i_mode))
111 return; 111 return;
112 112
113 iint = ima_iint_find(inode); 113 iint = integrity_iint_find(inode);
114 if (!iint) 114 if (!iint)
115 return; 115 return;
116 116
@@ -121,7 +121,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
121 int mask, int function) 121 int mask, int function)
122{ 122{
123 struct inode *inode = file->f_dentry->d_inode; 123 struct inode *inode = file->f_dentry->d_inode;
124 struct ima_iint_cache *iint; 124 struct integrity_iint_cache *iint;
125 int rc = 0; 125 int rc = 0;
126 126
127 if (!ima_initialized || !S_ISREG(inode->i_mode)) 127 if (!ima_initialized || !S_ISREG(inode->i_mode))
@@ -131,9 +131,9 @@ static int process_measurement(struct file *file, const unsigned char *filename,
131 if (rc != 0) 131 if (rc != 0)
132 return rc; 132 return rc;
133retry: 133retry:
134 iint = ima_iint_find(inode); 134 iint = integrity_iint_find(inode);
135 if (!iint) { 135 if (!iint) {
136 rc = ima_inode_alloc(inode); 136 rc = integrity_inode_alloc(inode);
137 if (!rc || rc == -EEXIST) 137 if (!rc || rc == -EEXIST)
138 goto retry; 138 goto retry;
139 return rc; 139 return rc;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
new file mode 100644
index 000000000000..7351836325a8
--- /dev/null
+++ b/security/integrity/integrity.h
@@ -0,0 +1,35 @@
1/*
2 * Copyright (C) 2009-2010 IBM Corporation
3 *
4 * Authors:
5 * Mimi Zohar <zohar@us.ibm.com>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 */
13
14#include <linux/types.h>
15#include <linux/integrity.h>
16#include <crypto/sha.h>
17
18/* iint cache flags */
19#define IMA_MEASURED 0x01
20
21/* integrity data associated with an inode */
22struct integrity_iint_cache {
23 struct rb_node rb_node; /* rooted in integrity_iint_tree */
24 struct inode *inode; /* back pointer to inode in question */
25 u64 version; /* track inode changes */
26 unsigned char flags;
27 u8 digest[SHA1_DIGEST_SIZE];
28 struct mutex mutex; /* protects: version, flags, digest */
29};
30
31/* rbtree tree calls to lookup, insert, delete
32 * integrity data associated with an inode.
33 */
34struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
35struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
diff --git a/security/security.c b/security/security.c
index 3464d58a5766..947fdcfbc83e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -16,6 +16,7 @@
16#include <linux/init.h> 16#include <linux/init.h>
17#include <linux/kernel.h> 17#include <linux/kernel.h>
18#include <linux/security.h> 18#include <linux/security.h>
19#include <linux/integrity.h>
19#include <linux/ima.h> 20#include <linux/ima.h>
20 21
21#define MAX_LSM_XATTR 1 22#define MAX_LSM_XATTR 1
@@ -336,7 +337,7 @@ int security_inode_alloc(struct inode *inode)
336 337
337void security_inode_free(struct inode *inode) 338void security_inode_free(struct inode *inode)
338{ 339{
339 ima_inode_free(inode); 340 integrity_inode_free(inode);
340 security_ops->inode_free_security(inode); 341 security_ops->inode_free_security(inode);
341} 342}
342 343