diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2009-02-04 09:06:57 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-02-05 17:05:30 -0500 |
| commit | 6146f0d5e47ca4047ffded0fb79b6c25359b386c (patch) | |
| tree | edd792e52ad56d4a5d3ac6caa8437d3283fc157e /fs/exec.c | |
| parent | 659aaf2bb5496a425ba14036b5b5900f593e4484 (diff) | |
integrity: IMA hooks
This patch replaces the generic integrity hooks, for which IMA registered
itself, with IMA integrity hooks in the appropriate places directly
in the fs directory.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'fs/exec.c')
| -rw-r--r-- | fs/exec.c | 10 |
1 files changed, 10 insertions, 0 deletions
| @@ -45,6 +45,7 @@ | |||
| 45 | #include <linux/proc_fs.h> | 45 | #include <linux/proc_fs.h> |
| 46 | #include <linux/mount.h> | 46 | #include <linux/mount.h> |
| 47 | #include <linux/security.h> | 47 | #include <linux/security.h> |
| 48 | #include <linux/ima.h> | ||
| 48 | #include <linux/syscalls.h> | 49 | #include <linux/syscalls.h> |
| 49 | #include <linux/tsacct_kern.h> | 50 | #include <linux/tsacct_kern.h> |
| 50 | #include <linux/cn_proc.h> | 51 | #include <linux/cn_proc.h> |
| @@ -130,6 +131,9 @@ asmlinkage long sys_uselib(const char __user * library) | |||
| 130 | error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN); | 131 | error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN); |
| 131 | if (error) | 132 | if (error) |
| 132 | goto exit; | 133 | goto exit; |
| 134 | error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN); | ||
| 135 | if (error) | ||
| 136 | goto exit; | ||
| 133 | 137 | ||
| 134 | file = nameidata_to_filp(&nd, O_RDONLY|O_LARGEFILE); | 138 | file = nameidata_to_filp(&nd, O_RDONLY|O_LARGEFILE); |
| 135 | error = PTR_ERR(file); | 139 | error = PTR_ERR(file); |
| @@ -683,6 +687,9 @@ struct file *open_exec(const char *name) | |||
| 683 | err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN); | 687 | err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN); |
| 684 | if (err) | 688 | if (err) |
| 685 | goto out_path_put; | 689 | goto out_path_put; |
| 690 | err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN); | ||
| 691 | if (err) | ||
| 692 | goto out_path_put; | ||
| 686 | 693 | ||
| 687 | file = nameidata_to_filp(&nd, O_RDONLY|O_LARGEFILE); | 694 | file = nameidata_to_filp(&nd, O_RDONLY|O_LARGEFILE); |
| 688 | if (IS_ERR(file)) | 695 | if (IS_ERR(file)) |
| @@ -1209,6 +1216,9 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) | |||
| 1209 | retval = security_bprm_check(bprm); | 1216 | retval = security_bprm_check(bprm); |
| 1210 | if (retval) | 1217 | if (retval) |
| 1211 | return retval; | 1218 | return retval; |
| 1219 | retval = ima_bprm_check(bprm); | ||
| 1220 | if (retval) | ||
| 1221 | return retval; | ||
| 1212 | 1222 | ||
| 1213 | /* kernel module loader fixup */ | 1223 | /* kernel module loader fixup */ |
| 1214 | /* so we don't try to load run modprobe in kernel space. */ | 1224 | /* so we don't try to load run modprobe in kernel space. */ |