Merge branch 'wip-2.6.34' into old-private-masterarchived-private-master

author: Andrea Bastoni <bastoni@cs.unc.edu> 2010-05-30 19:16:45 -0400
committer: Andrea Bastoni <bastoni@cs.unc.edu> 2010-05-30 19:16:45 -0400
commit: ada47b5fe13d89735805b566185f4885f5a3f750 (patch)
tree: 644b88f8a71896307d71438e9b3af49126ffb22b /security/integrity
parent: 43e98717ad40a4ae64545b5ba047c7b86aa44f4f (diff)
parent: 3280f21d43ee541f97f8cda5792150d2dbec20d5 (diff)
11 files changed, 171 insertions, 252 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 53d9764e8f09..3d7846de8069 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -3,6 +3,7 @@
 config IMA
        bool "Integrity Measurement Architecture(IMA)"
        depends on ACPI
+        depends on SECURITY
        select SECURITYFS
        select CRYPTO
        select CRYPTO_HMAC
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 165eb5397ea5..47fb65d1fcbd 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -65,7 +65,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
                         const char *cause, int result, int info);
 /* Internal IMA function definitions */
-void ima_iintcache_init(void);
 int ima_init(void);
 void ima_cleanup(void);
 int ima_fs_init(void);
@@ -97,7 +96,6 @@ static inline unsigned long ima_hash_key(u8 *digest)
 /* iint cache flags */
 #define IMA_MEASURED            1
-#define IMA_IINT_DUMP_STACK     512
 /* integrity data associated with an inode */
 struct ima_iint_cache {
@@ -128,13 +126,11 @@ void ima_template_show(struct seq_file *m, void *e,
 */
 struct ima_iint_cache *ima_iint_insert(struct inode *inode);
 struct ima_iint_cache *ima_iint_find_get(struct inode *inode);
-struct ima_iint_cache *ima_iint_find_insert_get(struct inode *inode);
-void ima_iint_delete(struct inode *inode);
 void iint_free(struct kref *kref);
 void iint_rcu_free(struct rcu_head *rcu);
 /* IMA policy related functions */
-enum ima_hooks { PATH_CHECK = 1, FILE_MMAP, BPRM_CHECK };
+enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK };
 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask);
 void ima_init_policy(void);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 3cd58b60afd2..52015d098fdf 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -13,6 +13,7 @@
 *      and store_template.
 */
 #include <linux/module.h>
+#include <linux/slab.h>
 #include "ima.h"
 static const char *IMA_TEMPLATE_NAME = "ima";
@@ -95,12 +96,12 @@ err_out:
 * ima_must_measure - measure decision based on policy.
 * @inode: pointer to inode to measure
 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
- * @function: calling function (PATH_CHECK, BPRM_CHECK, FILE_MMAP)
+ * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP)
 *
 * The policy is defined in terms of keypairs:
 *              subj=, obj=, type=, func=, mask=, fsmagic=
 *      subj,obj, and type: are LSM specific.
- *      func: PATH_CHECK | BPRM_CHECK | FILE_MMAP
+ *      func: FILE_CHECK | BPRM_CHECK | FILE_MMAP
 *      mask: contains the permission mask
 *      fsmagic: hex value
 *
diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c
index ff513ff737f5..5af76340470c 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -11,6 +11,7 @@
 */
 #include <linux/fs.h>
+#include <linux/gfp.h>
 #include <linux/audit.h>
 #include "ima.h"
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 46642a19bc78..952e51373f58 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -18,6 +18,7 @@
 #include <linux/crypto.h>
 #include <linux/scatterlist.h>
 #include <linux/err.h>
+#include <linux/slab.h>
 #include "ima.h"
 static int init_desc(struct hash_desc *desc)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 0c72c9c38956..07cb9c338cc4 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -16,6 +16,7 @@
 *      current measurement list and IMA statistics
 */
 #include <linux/fcntl.h>
+#include <linux/slab.h>
 #include <linux/module.h>
 #include <linux/seq_file.h>
 #include <linux/rculist.h>
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
index a4e2b1dac943..2c744d488014 100644
--- a/security/integrity/ima/ima_iint.c
+++ b/security/integrity/ima/ima_iint.c
@@ -14,13 +14,12 @@
 *      - cache integrity information associated with an inode
 *        using a radix tree.
 */
+#include <linux/slab.h>
 #include <linux/module.h>
 #include <linux/spinlock.h>
 #include <linux/radix-tree.h>
 #include "ima.h"
-#define ima_iint_delete ima_inode_free
 RADIX_TREE(ima_iint_store, GFP_ATOMIC);
 DEFINE_SPINLOCK(ima_iint_lock);
@@ -45,22 +44,18 @@ out:
        return iint;
 }
-/* Allocate memory for the iint associated with the inode
+/**
- * from the iint_cache slab, initialize the iint, and
+ * ima_inode_alloc - allocate an iint associated with an inode
- * insert it into the radix tree.
+ * @inode: pointer to the inode
- *
- * On success return a pointer to the iint; on failure return NULL.
 */
-struct ima_iint_cache *ima_iint_insert(struct inode *inode)
+int ima_inode_alloc(struct inode *inode)
 {
        struct ima_iint_cache *iint = NULL;
        int rc = 0;
-        if (!ima_initialized)
-                return iint;
        iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
        if (!iint)
-                return iint;
+                return -ENOMEM;
        rc = radix_tree_preload(GFP_NOFS);
        if (rc < 0)
@@ -69,67 +64,14 @@ struct ima_iint_cache *ima_iint_insert(struct inode *inode)
        spin_lock(&ima_iint_lock);
        rc = radix_tree_insert(&ima_iint_store, (unsigned long)inode, iint);
        spin_unlock(&ima_iint_lock);
+        radix_tree_preload_end();
 out:
-        if (rc < 0) {
+        if (rc < 0)
                kmem_cache_free(iint_cache, iint);
-                if (rc == -EEXIST) {
-                        spin_lock(&ima_iint_lock);
-                        iint = radix_tree_lookup(&ima_iint_store,
-                                                 (unsigned long)inode);
-                        spin_unlock(&ima_iint_lock);
-                } else
-                        iint = NULL;
-        }
-        radix_tree_preload_end();
-        return iint;
-}
-/**
+        return rc;
- * ima_inode_alloc - allocate an iint associated with an inode
- * @inode: pointer to the inode
- *
- * Return 0 on success, 1 on failure.
- */
-int ima_inode_alloc(struct inode *inode)
-{
-        struct ima_iint_cache *iint;
-        if (!ima_initialized)
-                return 0;
-        iint = ima_iint_insert(inode);
-        if (!iint)
-                return 1;
-        return 0;
 }
-/* ima_iint_find_insert_get - get the iint associated with an inode
- *
- * Most insertions are done at inode_alloc, except those allocated
- * before late_initcall. When the iint does not exist, allocate it,
- * initialize and insert it, and increment the iint refcount.
- *
- * (Can't initialize at security_initcall before any inodes are
- * allocated, got to wait at least until proc_init.)
- *
- *  Return the iint.
- */
-struct ima_iint_cache *ima_iint_find_insert_get(struct inode *inode)
-{
-        struct ima_iint_cache *iint = NULL;
-        iint = ima_iint_find_get(inode);
-        if (iint)
-                return iint;
-        iint = ima_iint_insert(inode);
-        if (iint)
-                kref_get(&iint->refcount);
-        return iint;
-}
-EXPORT_SYMBOL_GPL(ima_iint_find_insert_get);
 /* iint_free - called when the iint refcount goes to zero */
 void iint_free(struct kref *kref)
 {
@@ -164,17 +106,15 @@ void iint_rcu_free(struct rcu_head *rcu_head)
 }
 /**
- * ima_iint_delete - called on integrity_inode_free
+ * ima_inode_free - called on security_inode_free
 * @inode: pointer to the inode
 *
 * Free the integrity information(iint) associated with an inode.
 */
-void ima_iint_delete(struct inode *inode)
+void ima_inode_free(struct inode *inode)
 {
        struct ima_iint_cache *iint;
-        if (!ima_initialized)
-                return;
        spin_lock(&ima_iint_lock);
        iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode);
        spin_unlock(&ima_iint_lock);
@@ -196,9 +136,11 @@ static void init_once(void *foo)
        kref_set(&iint->refcount, 1);
 }
-void __init ima_iintcache_init(void)
+static int __init ima_iintcache_init(void)
 {
        iint_cache =
            kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
                              SLAB_PANIC, init_once);
+        return 0;
 }
+security_initcall(ima_iintcache_init);
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index a40da7ae5900..b1bcb702a27c 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -16,6 +16,7 @@
 */
 #include <linux/module.h>
 #include <linux/scatterlist.h>
+#include <linux/slab.h>
 #include <linux/err.h>
 #include "ima.h"
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index b85e61bcf246..b2c89d9de2a4 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -13,14 +13,15 @@
 * License.
 *
 * File: ima_main.c
- *             implements the IMA hooks: ima_bprm_check, ima_file_mmap,
+ *      implements the IMA hooks: ima_bprm_check, ima_file_mmap,
- *             and ima_path_check.
+ *      and ima_file_check.
 */
 #include <linux/module.h>
 #include <linux/file.h>
 #include <linux/binfmts.h>
 #include <linux/mount.h>
 #include <linux/mman.h>
+#include <linux/slab.h>
 #include "ima.h"
@@ -35,50 +36,53 @@ static int __init hash_setup(char *str)
 }
 __setup("ima_hash=", hash_setup);
-/**
+struct ima_imbalance {
- * ima_file_free - called on __fput()
+        struct hlist_node node;
- * @file: pointer to file structure being freed
+        unsigned long fsmagic;
+};
+/*
+ * ima_limit_imbalance - emit one imbalance message per filesystem type
 *
- * Flag files that changed, based on i_version;
+ * Maintain list of filesystem types that do not measure files properly.
- * and decrement the iint readcount/writecount.
+ * Return false if unknown, true if known.
 */
-void ima_file_free(struct file *file)
+static bool ima_limit_imbalance(struct file *file)
 {
-        struct inode *inode = file->f_dentry->d_inode;
+        static DEFINE_SPINLOCK(ima_imbalance_lock);
-        struct ima_iint_cache *iint;
+        static HLIST_HEAD(ima_imbalance_list);
-        if (!ima_initialized || !S_ISREG(inode->i_mode))
+        struct super_block *sb = file->f_dentry->d_sb;
-                return;
+        struct ima_imbalance *entry;
-        iint = ima_iint_find_get(inode);
+        struct hlist_node *node;
-        if (!iint)
+        bool found = false;
-                return;
+        rcu_read_lock();
-        mutex_lock(&iint->mutex);
+        hlist_for_each_entry_rcu(entry, node, &ima_imbalance_list, node) {
-        if (iint->opencount <= 0) {
+                if (entry->fsmagic == sb->s_magic) {
-                printk(KERN_INFO
+                        found = true;
-                       "%s: %s open/free imbalance (r:%ld w:%ld o:%ld f:%ld)\n",
+                        break;
-                       __FUNCTION__, file->f_dentry->d_name.name,
-                       iint->readcount, iint->writecount,
-                       iint->opencount, atomic_long_read(&file->f_count));
-                if (!(iint->flags & IMA_IINT_DUMP_STACK)) {
-                        dump_stack();
-                        iint->flags |= IMA_IINT_DUMP_STACK;
                }
        }
-        iint->opencount--;
+        rcu_read_unlock();
+        if (found)
-        if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+                goto out;
-                iint->readcount--;
-        if (file->f_mode & FMODE_WRITE) {
+        entry = kmalloc(sizeof(*entry), GFP_NOFS);
-                iint->writecount--;
+        if (!entry)
-                if (iint->writecount == 0) {
+                goto out;
-                        if (iint->version != inode->i_version)
+        entry->fsmagic = sb->s_magic;
-                                iint->flags &= ~IMA_MEASURED;
+        spin_lock(&ima_imbalance_lock);
-                }
+        /*
-        }
+         * we could have raced and something else might have added this fs
-        mutex_unlock(&iint->mutex);
+         * to the list, but we don't really care
-        kref_put(&iint->refcount, iint_free);
+         */
+        hlist_add_head_rcu(&entry->node, &ima_imbalance_list);
+        spin_unlock(&ima_imbalance_lock);
+        printk(KERN_INFO "IMA: unmeasured files on fsmagic: %lX\n",
+               entry->fsmagic);
+out:
+        return found;
 }
 /* ima_read_write_check - reflect possible reading/writing errors in the PCR.
@@ -111,196 +115,142 @@ static void ima_read_write_check(enum iint_pcr_error error,
        }
 }
-static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
+/*
-                                const unsigned char *filename)
+ * Update the counts given an fmode_t
+ */
+static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode)
 {
-        int rc = 0;
+        BUG_ON(!mutex_is_locked(&iint->mutex));
-        iint->opencount++;
-        iint->readcount++;
-        rc = ima_collect_measurement(iint, file);
-        if (!rc)
-                ima_store_measurement(iint, file, filename);
-        return rc;
-}
-static void ima_update_counts(struct ima_iint_cache *iint, int mask)
-{
        iint->opencount++;
-        if ((mask & MAY_WRITE) || (mask == 0))
+        if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
-                iint->writecount++;
-        else if (mask & (MAY_READ | MAY_EXEC))
                iint->readcount++;
+        if (mode & FMODE_WRITE)
+                iint->writecount++;
 }
-/**
+/*
- * ima_path_check - based on policy, collect/store measurement.
+ * ima_counts_get - increment file counts
- * @path: contains a pointer to the path to be measured
- * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
- *
- * Measure the file being open for readonly, based on the
- * ima_must_measure() policy decision.
 *
- * Keep read/write counters for all files, but only
+ * Maintain read/write counters for all files, but only
 * invalidate the PCR for measured files:
 *      - Opening a file for write when already open for read,
 *        results in a time of measure, time of use (ToMToU) error.
 *      - Opening a file for read when already open for write,
 *        could result in a file measurement error.
 *
- * Always return 0 and audit dentry_open failures.
- * (Return code will be based upon measurement appraisal.)
 */
-int ima_path_check(struct path *path, int mask, int update_counts)
+void ima_counts_get(struct file *file)
 {
-        struct inode *inode = path->dentry->d_inode;
+        struct dentry *dentry = file->f_path.dentry;
+        struct inode *inode = dentry->d_inode;
+        fmode_t mode = file->f_mode;
        struct ima_iint_cache *iint;
-        struct file *file = NULL;
        int rc;
        if (!ima_initialized || !S_ISREG(inode->i_mode))
-                return 0;
+                return;
-        iint = ima_iint_find_insert_get(inode);
+        iint = ima_iint_find_get(inode);
        if (!iint)
-                return 0;
+                return;
        mutex_lock(&iint->mutex);
-        if (update_counts)
+        rc = ima_must_measure(iint, inode, MAY_READ, FILE_CHECK);
-                ima_update_counts(iint, mask);
-        rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
        if (rc < 0)
                goto out;
-        if ((mask & MAY_WRITE) || (mask == 0))
+        if (mode & FMODE_WRITE) {
-                ima_read_write_check(TOMTOU, iint, inode,
+                ima_read_write_check(TOMTOU, iint, inode, dentry->d_name.name);
-                                     path->dentry->d_name.name);
-        if ((mask & (MAY_WRITE | MAY_READ | MAY_EXEC)) != MAY_READ)
                goto out;
-        ima_read_write_check(OPEN_WRITERS, iint, inode,
-                             path->dentry->d_name.name);
-        if (!(iint->flags & IMA_MEASURED)) {
-                struct dentry *dentry = dget(path->dentry);
-                struct vfsmount *mnt = mntget(path->mnt);
-                file = dentry_open(dentry, mnt, O_RDONLY | O_LARGEFILE,
-                                   current_cred());
-                if (IS_ERR(file)) {
-                        int audit_info = 0;
-                        integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
-                                            dentry->d_name.name,
-                                            "add_measurement",
-                                            "dentry_open failed",
-                                            1, audit_info);
-                        file = NULL;
-                        goto out;
-                }
-                rc = get_path_measurement(iint, file, dentry->d_name.name);
        }
+        ima_read_write_check(OPEN_WRITERS, iint, inode, dentry->d_name.name);
 out:
+        ima_inc_counts(iint, file->f_mode);
        mutex_unlock(&iint->mutex);
-        if (file)
-                fput(file);
        kref_put(&iint->refcount, iint_free);
-        return 0;
 }
-EXPORT_SYMBOL_GPL(ima_path_check);
-static int process_measurement(struct file *file, const unsigned char *filename,
+/*
-                               int mask, int function)
+ * Decrement ima counts
+ */
+static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode,
+                           struct file *file)
 {
-        struct inode *inode = file->f_dentry->d_inode;
+        mode_t mode = file->f_mode;
-        struct ima_iint_cache *iint;
+        BUG_ON(!mutex_is_locked(&iint->mutex));
-        int rc;
-        if (!ima_initialized || !S_ISREG(inode->i_mode))
+        iint->opencount--;
-                return 0;
+        if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
-        iint = ima_iint_find_insert_get(inode);
+                iint->readcount--;
-        if (!iint)
+        if (mode & FMODE_WRITE) {
-                return -ENOMEM;
+                iint->writecount--;
+                if (iint->writecount == 0) {
-        mutex_lock(&iint->mutex);
+                        if (iint->version != inode->i_version)
-        rc = ima_must_measure(iint, inode, mask, function);
+                                iint->flags &= ~IMA_MEASURED;
-        if (rc != 0)
+                }
-                goto out;
+        }
-        rc = ima_collect_measurement(iint, file);
+        if (((iint->opencount < 0) ||
-        if (!rc)
+             (iint->readcount < 0) ||
-                ima_store_measurement(iint, file, filename);
+             (iint->writecount < 0)) &&
-out:
+            !ima_limit_imbalance(file)) {
-        mutex_unlock(&iint->mutex);
+                printk(KERN_INFO "%s: open/free imbalance (r:%ld w:%ld o:%ld)\n",
-        kref_put(&iint->refcount, iint_free);
+                       __FUNCTION__, iint->readcount, iint->writecount,
-        return rc;
+                       iint->opencount);
+                dump_stack();
+        }
 }
-/*
+/**
- * ima_counts_put - decrement file counts
+ * ima_file_free - called on __fput()
+ * @file: pointer to file structure being freed
 *
- * File counts are incremented in ima_path_check. On file open
+ * Flag files that changed, based on i_version;
- * error, such as ETXTBSY, decrement the counts to prevent
+ * and decrement the iint readcount/writecount.
- * unnecessary imbalance messages.
 */
-void ima_counts_put(struct path *path, int mask)
+void ima_file_free(struct file *file)
 {
-        struct inode *inode = path->dentry->d_inode;
+        struct inode *inode = file->f_dentry->d_inode;
        struct ima_iint_cache *iint;
-        /* The inode may already have been freed, freeing the iint
+        if (!ima_initialized || !S_ISREG(inode->i_mode))
-         * with it. Verify the inode is not NULL before dereferencing
-         * it.
-         */
-        if (!ima_initialized || !inode || !S_ISREG(inode->i_mode))
                return;
-        iint = ima_iint_find_insert_get(inode);
+        iint = ima_iint_find_get(inode);
        if (!iint)
                return;
        mutex_lock(&iint->mutex);
-        iint->opencount--;
+        ima_dec_counts(iint, inode, file);
-        if ((mask & MAY_WRITE) || (mask == 0))
-                iint->writecount--;
-        else if (mask & (MAY_READ | MAY_EXEC))
-                iint->readcount--;
        mutex_unlock(&iint->mutex);
        kref_put(&iint->refcount, iint_free);
 }
-/*
+static int process_measurement(struct file *file, const unsigned char *filename,
- * ima_counts_get - increment file counts
+                               int mask, int function)
- *
- * - for IPC shm and shmat file.
- * - for nfsd exported files.
- *
- * Increment the counts for these files to prevent unnecessary
- * imbalance messages.
- */
-void ima_counts_get(struct file *file)
 {
        struct inode *inode = file->f_dentry->d_inode;
        struct ima_iint_cache *iint;
+        int rc;
        if (!ima_initialized || !S_ISREG(inode->i_mode))
-                return;
+                return 0;
-        iint = ima_iint_find_insert_get(inode);
+        iint = ima_iint_find_get(inode);
        if (!iint)
-                return;
+                return -ENOMEM;
        mutex_lock(&iint->mutex);
-        iint->opencount++;
+        rc = ima_must_measure(iint, inode, mask, function);
-        if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+        if (rc != 0)
-                iint->readcount++;
+                goto out;
-        if (file->f_mode & FMODE_WRITE)
+        rc = ima_collect_measurement(iint, file);
-                iint->writecount++;
+        if (!rc)
+                ima_store_measurement(iint, file, filename);
+out:
        mutex_unlock(&iint->mutex);
        kref_put(&iint->refcount, iint_free);
+        return rc;
 }
-EXPORT_SYMBOL_GPL(ima_counts_get);
 /**
 * ima_file_mmap - based on policy, collect/store measurement.
@@ -347,11 +297,31 @@ int ima_bprm_check(struct linux_binprm *bprm)
        return 0;
 }
+/**
+ * ima_path_check - based on policy, collect/store measurement.
+ * @file: pointer to the file to be measured
+ * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
+ *
+ * Measure files based on the ima_must_measure() policy decision.
+ *
+ * Always return 0 and audit dentry_open failures.
+ * (Return code will be based upon measurement appraisal.)
+ */
+int ima_file_check(struct file *file, int mask)
+{
+        int rc;
+        rc = process_measurement(file, file->f_dentry->d_name.name,
+                                 mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
+                                 FILE_CHECK);
+        return 0;
+}
+EXPORT_SYMBOL_GPL(ima_file_check);
 static int __init init_ima(void)
 {
        int error;
-        ima_iintcache_init();
        error = ima_init();
        ima_initialized = 1;
        return error;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e1278399b345..8643a93c5963 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -15,6 +15,7 @@
 #include <linux/security.h>
 #include <linux/magic.h>
 #include <linux/parser.h>
+#include <linux/slab.h>
 #include "ima.h"
@@ -67,7 +68,7 @@ static struct ima_measure_rule_entry default_rules[] = {
         .flags = IMA_FUNC | IMA_MASK},
        {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
         .flags = IMA_FUNC | IMA_MASK},
-        {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
+        {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0,
         .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 };
@@ -282,8 +283,11 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
                        break;
                case Opt_func:
                        audit_log_format(ab, "func=%s ", args[0].from);
-                        if (strcmp(args[0].from, "PATH_CHECK") == 0)
+                        if (strcmp(args[0].from, "FILE_CHECK") == 0)
-                                entry->func = PATH_CHECK;
+                                entry->func = FILE_CHECK;
+                        /* PATH_CHECK is for backwards compat */
+                        else if (strcmp(args[0].from, "PATH_CHECK") == 0)
+                                entry->func = FILE_CHECK;
                        else if (strcmp(args[0].from, "FILE_MMAP") == 0)
                                entry->func = FILE_MMAP;
                        else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index a0880e9c8e05..46ba62b1adf5 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -20,6 +20,7 @@
 */
 #include <linux/module.h>
 #include <linux/rculist.h>
+#include <linux/slab.h>
 #include "ima.h"
 LIST_HEAD(ima_measurements);    /* list of all measurements */
author	Andrea Bastoni <bastoni@cs.unc.edu>	2010-05-30 19:16:45 -0400
committer	Andrea Bastoni <bastoni@cs.unc.edu>	2010-05-30 19:16:45 -0400
commit	ada47b5fe13d89735805b566185f4885f5a3f750 (patch)
tree	644b88f8a71896307d71438e9b3af49126ffb22b /security/integrity
parent	43e98717ad40a4ae64545b5ba047c7b86aa44f4f (diff)
parent	3280f21d43ee541f97f8cda5792150d2dbec20d5 (diff)