diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2009-10-22 17:30:13 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-10-25 00:22:48 -0400 |
| commit | 6c21a7fb492bf7e2c4985937082ce58ddeca84bd (patch) | |
| tree | 6cfe11ba4b8eee26ee8b02d2b4a5fcc6ea07e4bd /fs | |
| parent | 6e8e16c7bc298d7887584c3d027e05db3e86eed9 (diff) | |
LSM: imbed ima calls in the security hooks
Based on discussions on LKML and LSM, where there are consecutive
security_ and ima_ calls in the vfs layer, move the ima_ calls to
the existing security_ hooks.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/exec.c | 4 | ||||
| -rw-r--r-- | fs/file_table.c | 2 | ||||
| -rw-r--r-- | fs/inode.c | 10 |
3 files changed, 0 insertions, 16 deletions
| @@ -46,7 +46,6 @@ | |||
| 46 | #include <linux/proc_fs.h> | 46 | #include <linux/proc_fs.h> |
| 47 | #include <linux/mount.h> | 47 | #include <linux/mount.h> |
| 48 | #include <linux/security.h> | 48 | #include <linux/security.h> |
| 49 | #include <linux/ima.h> | ||
| 50 | #include <linux/syscalls.h> | 49 | #include <linux/syscalls.h> |
| 51 | #include <linux/tsacct_kern.h> | 50 | #include <linux/tsacct_kern.h> |
| 52 | #include <linux/cn_proc.h> | 51 | #include <linux/cn_proc.h> |
| @@ -1211,9 +1210,6 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) | |||
| 1211 | retval = security_bprm_check(bprm); | 1210 | retval = security_bprm_check(bprm); |
| 1212 | if (retval) | 1211 | if (retval) |
| 1213 | return retval; | 1212 | return retval; |
| 1214 | retval = ima_bprm_check(bprm); | ||
| 1215 | if (retval) | ||
| 1216 | return retval; | ||
| 1217 | 1213 | ||
| 1218 | /* kernel module loader fixup */ | 1214 | /* kernel module loader fixup */ |
| 1219 | /* so we don't try to load run modprobe in kernel space. */ | 1215 | /* so we don't try to load run modprobe in kernel space. */ |
diff --git a/fs/file_table.c b/fs/file_table.c index 8eb44042e009..4bef4c01ec6f 100644 --- a/fs/file_table.c +++ b/fs/file_table.c | |||
| @@ -13,7 +13,6 @@ | |||
| 13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
| 14 | #include <linux/fs.h> | 14 | #include <linux/fs.h> |
| 15 | #include <linux/security.h> | 15 | #include <linux/security.h> |
| 16 | #include <linux/ima.h> | ||
| 17 | #include <linux/eventpoll.h> | 16 | #include <linux/eventpoll.h> |
| 18 | #include <linux/rcupdate.h> | 17 | #include <linux/rcupdate.h> |
| 19 | #include <linux/mount.h> | 18 | #include <linux/mount.h> |
| @@ -280,7 +279,6 @@ void __fput(struct file *file) | |||
| 280 | if (file->f_op && file->f_op->release) | 279 | if (file->f_op && file->f_op->release) |
| 281 | file->f_op->release(inode, file); | 280 | file->f_op->release(inode, file); |
| 282 | security_file_free(file); | 281 | security_file_free(file); |
| 283 | ima_file_free(file); | ||
| 284 | if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL)) | 282 | if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL)) |
| 285 | cdev_put(inode->i_cdev); | 283 | cdev_put(inode->i_cdev); |
| 286 | fops_put(file->f_op); | 284 | fops_put(file->f_op); |
diff --git a/fs/inode.c b/fs/inode.c index 4d8e3be55976..06c1f02de611 100644 --- a/fs/inode.c +++ b/fs/inode.c | |||
| @@ -18,7 +18,6 @@ | |||
| 18 | #include <linux/hash.h> | 18 | #include <linux/hash.h> |
| 19 | #include <linux/swap.h> | 19 | #include <linux/swap.h> |
| 20 | #include <linux/security.h> | 20 | #include <linux/security.h> |
| 21 | #include <linux/ima.h> | ||
| 22 | #include <linux/pagemap.h> | 21 | #include <linux/pagemap.h> |
| 23 | #include <linux/cdev.h> | 22 | #include <linux/cdev.h> |
| 24 | #include <linux/bootmem.h> | 23 | #include <linux/bootmem.h> |
| @@ -157,11 +156,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode) | |||
| 157 | 156 | ||
| 158 | if (security_inode_alloc(inode)) | 157 | if (security_inode_alloc(inode)) |
| 159 | goto out; | 158 | goto out; |
| 160 | |||
| 161 | /* allocate and initialize an i_integrity */ | ||
| 162 | if (ima_inode_alloc(inode)) | ||
| 163 | goto out_free_security; | ||
| 164 | |||
| 165 | spin_lock_init(&inode->i_lock); | 159 | spin_lock_init(&inode->i_lock); |
| 166 | lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); | 160 | lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); |
| 167 | 161 | ||
| @@ -201,9 +195,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode) | |||
| 201 | #endif | 195 | #endif |
| 202 | 196 | ||
| 203 | return 0; | 197 | return 0; |
| 204 | |||
| 205 | out_free_security: | ||
| 206 | security_inode_free(inode); | ||
| 207 | out: | 198 | out: |
| 208 | return -ENOMEM; | 199 | return -ENOMEM; |
| 209 | } | 200 | } |
| @@ -235,7 +226,6 @@ static struct inode *alloc_inode(struct super_block *sb) | |||
| 235 | void __destroy_inode(struct inode *inode) | 226 | void __destroy_inode(struct inode *inode) |
| 236 | { | 227 | { |
| 237 | BUG_ON(inode_has_buffers(inode)); | 228 | BUG_ON(inode_has_buffers(inode)); |
| 238 | ima_inode_free(inode); | ||
| 239 | security_inode_free(inode); | 229 | security_inode_free(inode); |
| 240 | fsnotify_inode_delete(inode); | 230 | fsnotify_inode_delete(inode); |
| 241 | #ifdef CONFIG_FS_POSIX_ACL | 231 | #ifdef CONFIG_FS_POSIX_ACL |