diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2009-05-19 13:25:57 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-05-21 19:43:41 -0400 |
| commit | b9fc745db833bbf74b4988493b8cd902a84c9415 (patch) | |
| tree | 45a15174efb3b1c3dcbe5f0dc503e790c4f6fd70 /security | |
| parent | 932995f0ce52525b32ff5127b522c2c164de3810 (diff) | |
integrity: path_check update
- Add support in ima_path_check() for integrity checking without
incrementing the counts. (Required for nfsd.)
- rename and export opencount_get to ima_counts_get
- replace ima_shm_check calls with ima_counts_get
- export ima_path_check
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 48 |
1 files changed, 29 insertions, 19 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c4228c0eb2d0..a2eb23310eaf 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -125,6 +125,15 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file, | |||
| 125 | return rc; | 125 | return rc; |
| 126 | } | 126 | } |
| 127 | 127 | ||
| 128 | static void ima_update_counts(struct ima_iint_cache *iint, int mask) | ||
| 129 | { | ||
| 130 | iint->opencount++; | ||
| 131 | if ((mask & MAY_WRITE) || (mask == 0)) | ||
| 132 | iint->writecount++; | ||
| 133 | else if (mask & (MAY_READ | MAY_EXEC)) | ||
| 134 | iint->readcount++; | ||
| 135 | } | ||
| 136 | |||
| 128 | /** | 137 | /** |
| 129 | * ima_path_check - based on policy, collect/store measurement. | 138 | * ima_path_check - based on policy, collect/store measurement. |
| 130 | * @path: contains a pointer to the path to be measured | 139 | * @path: contains a pointer to the path to be measured |
| @@ -143,7 +152,7 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file, | |||
| 143 | * Return 0 on success, an error code on failure. | 152 | * Return 0 on success, an error code on failure. |
| 144 | * (Based on the results of appraise_measurement().) | 153 | * (Based on the results of appraise_measurement().) |
| 145 | */ | 154 | */ |
| 146 | int ima_path_check(struct path *path, int mask) | 155 | int ima_path_check(struct path *path, int mask, int update_counts) |
| 147 | { | 156 | { |
| 148 | struct inode *inode = path->dentry->d_inode; | 157 | struct inode *inode = path->dentry->d_inode; |
| 149 | struct ima_iint_cache *iint; | 158 | struct ima_iint_cache *iint; |
| @@ -157,11 +166,8 @@ int ima_path_check(struct path *path, int mask) | |||
| 157 | return 0; | 166 | return 0; |
| 158 | 167 | ||
| 159 | mutex_lock(&iint->mutex); | 168 | mutex_lock(&iint->mutex); |
| 160 | iint->opencount++; | 169 | if (update_counts) |
| 161 | if ((mask & MAY_WRITE) || (mask == 0)) | 170 | ima_update_counts(iint, mask); |
| 162 | iint->writecount++; | ||
| 163 | else if (mask & (MAY_READ | MAY_EXEC)) | ||
| 164 | iint->readcount++; | ||
| 165 | 171 | ||
| 166 | rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); | 172 | rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); |
| 167 | if (rc < 0) | 173 | if (rc < 0) |
| @@ -197,6 +203,7 @@ out: | |||
| 197 | kref_put(&iint->refcount, iint_free); | 203 | kref_put(&iint->refcount, iint_free); |
| 198 | return 0; | 204 | return 0; |
| 199 | } | 205 | } |
| 206 | EXPORT_SYMBOL_GPL(ima_path_check); | ||
| 200 | 207 | ||
| 201 | static int process_measurement(struct file *file, const unsigned char *filename, | 208 | static int process_measurement(struct file *file, const unsigned char *filename, |
| 202 | int mask, int function) | 209 | int mask, int function) |
| @@ -225,7 +232,16 @@ out: | |||
| 225 | return rc; | 232 | return rc; |
| 226 | } | 233 | } |
| 227 | 234 | ||
| 228 | static void opencount_get(struct file *file) | 235 | /* |
| 236 | * ima_opens_get - increment file counts | ||
| 237 | * | ||
| 238 | * - for IPC shm and shmat file. | ||
| 239 | * - for nfsd exported files. | ||
| 240 | * | ||
| 241 | * Increment the counts for these files to prevent unnecessary | ||
| 242 | * imbalance messages. | ||
| 243 | */ | ||
| 244 | void ima_counts_get(struct file *file) | ||
| 229 | { | 245 | { |
| 230 | struct inode *inode = file->f_dentry->d_inode; | 246 | struct inode *inode = file->f_dentry->d_inode; |
| 231 | struct ima_iint_cache *iint; | 247 | struct ima_iint_cache *iint; |
| @@ -237,8 +253,14 @@ static void opencount_get(struct file *file) | |||
| 237 | return; | 253 | return; |
| 238 | mutex_lock(&iint->mutex); | 254 | mutex_lock(&iint->mutex); |
| 239 | iint->opencount++; | 255 | iint->opencount++; |
| 256 | if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) | ||
| 257 | iint->readcount++; | ||
| 258 | |||
| 259 | if (file->f_mode & FMODE_WRITE) | ||
| 260 | iint->writecount++; | ||
| 240 | mutex_unlock(&iint->mutex); | 261 | mutex_unlock(&iint->mutex); |
| 241 | } | 262 | } |
| 263 | EXPORT_SYMBOL_GPL(ima_counts_get); | ||
| 242 | 264 | ||
| 243 | /** | 265 | /** |
| 244 | * ima_file_mmap - based on policy, collect/store measurement. | 266 | * ima_file_mmap - based on policy, collect/store measurement. |
| @@ -263,18 +285,6 @@ int ima_file_mmap(struct file *file, unsigned long prot) | |||
| 263 | return 0; | 285 | return 0; |
| 264 | } | 286 | } |
| 265 | 287 | ||
| 266 | /* | ||
| 267 | * ima_shm_check - IPC shm and shmat create/fput a file | ||
| 268 | * | ||
| 269 | * Maintain the opencount for these files to prevent unnecessary | ||
| 270 | * imbalance messages. | ||
| 271 | */ | ||
| 272 | void ima_shm_check(struct file *file) | ||
| 273 | { | ||
| 274 | opencount_get(file); | ||
| 275 | return; | ||
| 276 | } | ||
| 277 | |||
| 278 | /** | 288 | /** |
| 279 | * ima_bprm_check - based on policy, collect/store measurement. | 289 | * ima_bprm_check - based on policy, collect/store measurement. |
| 280 | * @bprm: contains the linux_binprm structure | 290 | * @bprm: contains the linux_binprm structure |