diff options
| author | Dmitry Kasatkin <dmitry.kasatkin@intel.com> | 2012-09-03 17:40:17 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-01-16 17:50:03 -0500 |
| commit | ea1046d4c57ee6e3d5f68f19dd9a45bbab0b71a0 (patch) | |
| tree | 5779ef0eadc9b871f0b1b06cc0107d0c28dfc726 /security/integrity | |
| parent | ee866331749b07373743ce18ceaffb1dd841d855 (diff) | |
ima: move full pathname resolution to separate function
Define a new function ima_d_path(), which returns the full pathname.
This function will be used further, for example, by the directory
verification code.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
| -rw-r--r-- | security/integrity/ima/ima.h | 1 | ||||
| -rw-r--r-- | security/integrity/ima/ima_api.c | 17 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 51 |
3 files changed, 38 insertions, 31 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 1385c5c172f7..991844db98d9 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
| @@ -119,6 +119,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, | |||
| 119 | int ima_store_template(struct ima_template_entry *entry, int violation, | 119 | int ima_store_template(struct ima_template_entry *entry, int violation, |
| 120 | struct inode *inode); | 120 | struct inode *inode); |
| 121 | void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show); | 121 | void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show); |
| 122 | const char *ima_d_path(struct path *path, char **pathbuf); | ||
| 122 | 123 | ||
| 123 | /* rbtree tree calls to lookup, insert, delete | 124 | /* rbtree tree calls to lookup, insert, delete |
| 124 | * integrity data associated with an inode. | 125 | * integrity data associated with an inode. |
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index fc722b44c416..9382a4c568b2 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
| @@ -237,3 +237,20 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, | |||
| 237 | 237 | ||
| 238 | iint->flags |= IMA_AUDITED; | 238 | iint->flags |= IMA_AUDITED; |
| 239 | } | 239 | } |
| 240 | |||
| 241 | const char *ima_d_path(struct path *path, char **pathbuf) | ||
| 242 | { | ||
| 243 | char *pathname = NULL; | ||
| 244 | |||
| 245 | /* We will allow 11 spaces for ' (deleted)' to be appended */ | ||
| 246 | *pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL); | ||
| 247 | if (*pathbuf) { | ||
| 248 | pathname = d_path(path, *pathbuf, PATH_MAX + 11); | ||
| 249 | if (IS_ERR(pathname)) { | ||
| 250 | kfree(*pathbuf); | ||
| 251 | *pathbuf = NULL; | ||
| 252 | pathname = NULL; | ||
| 253 | } | ||
| 254 | } | ||
| 255 | return pathname; | ||
| 256 | } | ||
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 970693d1a320..d743c9a0a4b4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -61,7 +61,8 @@ static void ima_rdwr_violation_check(struct file *file) | |||
| 61 | fmode_t mode = file->f_mode; | 61 | fmode_t mode = file->f_mode; |
| 62 | int must_measure; | 62 | int must_measure; |
| 63 | bool send_tomtou = false, send_writers = false; | 63 | bool send_tomtou = false, send_writers = false; |
| 64 | unsigned char *pathname = NULL, *pathbuf = NULL; | 64 | char *pathbuf = NULL; |
| 65 | const char *pathname; | ||
| 65 | 66 | ||
| 66 | if (!S_ISREG(inode->i_mode) || !ima_initialized) | 67 | if (!S_ISREG(inode->i_mode) || !ima_initialized) |
| 67 | return; | 68 | return; |
| @@ -86,22 +87,15 @@ out: | |||
| 86 | if (!send_tomtou && !send_writers) | 87 | if (!send_tomtou && !send_writers) |
| 87 | return; | 88 | return; |
| 88 | 89 | ||
| 89 | /* We will allow 11 spaces for ' (deleted)' to be appended */ | 90 | pathname = ima_d_path(&file->f_path, &pathbuf); |
| 90 | pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL); | 91 | if (!pathname || strlen(pathname) > IMA_EVENT_NAME_LEN_MAX) |
| 91 | if (pathbuf) { | 92 | pathname = dentry->d_name.name; |
| 92 | pathname = d_path(&file->f_path, pathbuf, PATH_MAX + 11); | 93 | |
| 93 | if (IS_ERR(pathname)) | ||
| 94 | pathname = NULL; | ||
| 95 | else if (strlen(pathname) > IMA_EVENT_NAME_LEN_MAX) | ||
| 96 | pathname = NULL; | ||
| 97 | } | ||
| 98 | if (send_tomtou) | 94 | if (send_tomtou) |
| 99 | ima_add_violation(inode, | 95 | ima_add_violation(inode, pathname, |
| 100 | !pathname ? dentry->d_name.name : pathname, | ||
| 101 | "invalid_pcr", "ToMToU"); | 96 | "invalid_pcr", "ToMToU"); |
| 102 | if (send_writers) | 97 | if (send_writers) |
| 103 | ima_add_violation(inode, | 98 | ima_add_violation(inode, pathname, |
| 104 | !pathname ? dentry->d_name.name : pathname, | ||
| 105 | "invalid_pcr", "open_writers"); | 99 | "invalid_pcr", "open_writers"); |
| 106 | kfree(pathbuf); | 100 | kfree(pathbuf); |
| 107 | } | 101 | } |
| @@ -145,12 +139,13 @@ void ima_file_free(struct file *file) | |||
| 145 | ima_check_last_writer(iint, inode, file); | 139 | ima_check_last_writer(iint, inode, file); |
| 146 | } | 140 | } |
| 147 | 141 | ||
| 148 | static int process_measurement(struct file *file, const unsigned char *filename, | 142 | static int process_measurement(struct file *file, const char *filename, |
| 149 | int mask, int function) | 143 | int mask, int function) |
| 150 | { | 144 | { |
| 151 | struct inode *inode = file->f_dentry->d_inode; | 145 | struct inode *inode = file->f_dentry->d_inode; |
| 152 | struct integrity_iint_cache *iint; | 146 | struct integrity_iint_cache *iint; |
| 153 | unsigned char *pathname = NULL, *pathbuf = NULL; | 147 | char *pathbuf = NULL; |
| 148 | const char *pathname = NULL; | ||
| 154 | int rc = -ENOMEM, action, must_appraise; | 149 | int rc = -ENOMEM, action, must_appraise; |
| 155 | 150 | ||
| 156 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | 151 | if (!ima_initialized || !S_ISREG(inode->i_mode)) |
| @@ -187,24 +182,18 @@ static int process_measurement(struct file *file, const unsigned char *filename, | |||
| 187 | if (rc != 0) | 182 | if (rc != 0) |
| 188 | goto out; | 183 | goto out; |
| 189 | 184 | ||
| 190 | if (function != BPRM_CHECK) { | 185 | if (function != BPRM_CHECK) |
| 191 | /* We will allow 11 spaces for ' (deleted)' to be appended */ | 186 | pathname = ima_d_path(&file->f_path, &pathbuf); |
| 192 | pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL); | 187 | |
| 193 | if (pathbuf) { | 188 | if (!pathname) |
| 194 | pathname = | 189 | pathname = filename; |
| 195 | d_path(&file->f_path, pathbuf, PATH_MAX + 11); | 190 | |
| 196 | if (IS_ERR(pathname)) | ||
| 197 | pathname = NULL; | ||
| 198 | } | ||
| 199 | } | ||
| 200 | if (action & IMA_MEASURE) | 191 | if (action & IMA_MEASURE) |
| 201 | ima_store_measurement(iint, file, | 192 | ima_store_measurement(iint, file, pathname); |
| 202 | !pathname ? filename : pathname); | ||
| 203 | if (action & IMA_APPRAISE) | 193 | if (action & IMA_APPRAISE) |
| 204 | rc = ima_appraise_measurement(iint, file, | 194 | rc = ima_appraise_measurement(iint, file, pathname); |
| 205 | !pathname ? filename : pathname); | ||
| 206 | if (action & IMA_AUDIT) | 195 | if (action & IMA_AUDIT) |
| 207 | ima_audit_measurement(iint, !pathname ? filename : pathname); | 196 | ima_audit_measurement(iint, pathname); |
| 208 | kfree(pathbuf); | 197 | kfree(pathbuf); |
| 209 | out: | 198 | out: |
| 210 | mutex_unlock(&inode->i_mutex); | 199 | mutex_unlock(&inode->i_mutex); |