diff options
| -rw-r--r-- | Documentation/ABI/testing/ima_policy | 12 | ||||
| -rw-r--r-- | security/integrity/ima/ima.h | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_api.c | 4 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 4 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 9 |
5 files changed, 17 insertions, 14 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 6434f0df012e..6cd6daefaaed 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy | |||
| @@ -20,7 +20,7 @@ Description: | |||
| 20 | lsm: [[subj_user=] [subj_role=] [subj_type=] | 20 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
| 21 | [obj_user=] [obj_role=] [obj_type=]] | 21 | [obj_user=] [obj_role=] [obj_type=]] |
| 22 | 22 | ||
| 23 | base: func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION] | 23 | base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK] |
| 24 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] | 24 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] |
| 25 | fsmagic:= hex value | 25 | fsmagic:= hex value |
| 26 | uid:= decimal value | 26 | uid:= decimal value |
| @@ -40,11 +40,11 @@ Description: | |||
| 40 | 40 | ||
| 41 | measure func=BPRM_CHECK | 41 | measure func=BPRM_CHECK |
| 42 | measure func=FILE_MMAP mask=MAY_EXEC | 42 | measure func=FILE_MMAP mask=MAY_EXEC |
| 43 | measure func=INODE_PERM mask=MAY_READ uid=0 | 43 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
| 44 | 44 | ||
| 45 | The default policy measures all executables in bprm_check, | 45 | The default policy measures all executables in bprm_check, |
| 46 | all files mmapped executable in file_mmap, and all files | 46 | all files mmapped executable in file_mmap, and all files |
| 47 | open for read by root in inode_permission. | 47 | open for read by root in do_filp_open. |
| 48 | 48 | ||
| 49 | Examples of LSM specific definitions: | 49 | Examples of LSM specific definitions: |
| 50 | 50 | ||
| @@ -54,8 +54,8 @@ Description: | |||
| 54 | 54 | ||
| 55 | dont_measure obj_type=var_log_t | 55 | dont_measure obj_type=var_log_t |
| 56 | dont_measure obj_type=auditd_log_t | 56 | dont_measure obj_type=auditd_log_t |
| 57 | measure subj_user=system_u func=INODE_PERM mask=MAY_READ | 57 | measure subj_user=system_u func=FILE_CHECK mask=MAY_READ |
| 58 | measure subj_role=system_r func=INODE_PERM mask=MAY_READ | 58 | measure subj_role=system_r func=FILE_CHECK mask=MAY_READ |
| 59 | 59 | ||
| 60 | Smack: | 60 | Smack: |
| 61 | measure subj_user=_ func=INODE_PERM mask=MAY_READ | 61 | measure subj_user=_ func=FILE_CHECK mask=MAY_READ |
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index aa25a7eb2d0e..47fb65d1fcbd 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
| @@ -130,7 +130,7 @@ void iint_free(struct kref *kref); | |||
| 130 | void iint_rcu_free(struct rcu_head *rcu); | 130 | void iint_rcu_free(struct rcu_head *rcu); |
| 131 | 131 | ||
| 132 | /* IMA policy related functions */ | 132 | /* IMA policy related functions */ |
| 133 | enum ima_hooks { PATH_CHECK = 1, FILE_MMAP, BPRM_CHECK }; | 133 | enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK }; |
| 134 | 134 | ||
| 135 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask); | 135 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask); |
| 136 | void ima_init_policy(void); | 136 | void ima_init_policy(void); |
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 3cd58b60afd2..2a5e0bcf3887 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
| @@ -95,12 +95,12 @@ err_out: | |||
| 95 | * ima_must_measure - measure decision based on policy. | 95 | * ima_must_measure - measure decision based on policy. |
| 96 | * @inode: pointer to inode to measure | 96 | * @inode: pointer to inode to measure |
| 97 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) | 97 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) |
| 98 | * @function: calling function (PATH_CHECK, BPRM_CHECK, FILE_MMAP) | 98 | * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP) |
| 99 | * | 99 | * |
| 100 | * The policy is defined in terms of keypairs: | 100 | * The policy is defined in terms of keypairs: |
| 101 | * subj=, obj=, type=, func=, mask=, fsmagic= | 101 | * subj=, obj=, type=, func=, mask=, fsmagic= |
| 102 | * subj,obj, and type: are LSM specific. | 102 | * subj,obj, and type: are LSM specific. |
| 103 | * func: PATH_CHECK | BPRM_CHECK | FILE_MMAP | 103 | * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP |
| 104 | * mask: contains the permission mask | 104 | * mask: contains the permission mask |
| 105 | * fsmagic: hex value | 105 | * fsmagic: hex value |
| 106 | * | 106 | * |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b76e1f03ea2b..294b005d6520 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -153,7 +153,7 @@ void ima_counts_get(struct file *file) | |||
| 153 | if (!iint) | 153 | if (!iint) |
| 154 | return; | 154 | return; |
| 155 | mutex_lock(&iint->mutex); | 155 | mutex_lock(&iint->mutex); |
| 156 | rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); | 156 | rc = ima_must_measure(iint, inode, MAY_READ, FILE_CHECK); |
| 157 | if (rc < 0) | 157 | if (rc < 0) |
| 158 | goto out; | 158 | goto out; |
| 159 | 159 | ||
| @@ -312,7 +312,7 @@ int ima_file_check(struct file *file, int mask) | |||
| 312 | 312 | ||
| 313 | rc = process_measurement(file, file->f_dentry->d_name.name, | 313 | rc = process_measurement(file, file->f_dentry->d_name.name, |
| 314 | mask & (MAY_READ | MAY_WRITE | MAY_EXEC), | 314 | mask & (MAY_READ | MAY_WRITE | MAY_EXEC), |
| 315 | PATH_CHECK); | 315 | FILE_CHECK); |
| 316 | return 0; | 316 | return 0; |
| 317 | } | 317 | } |
| 318 | EXPORT_SYMBOL_GPL(ima_file_check); | 318 | EXPORT_SYMBOL_GPL(ima_file_check); |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e1278399b345..4759d0f99335 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -67,7 +67,7 @@ static struct ima_measure_rule_entry default_rules[] = { | |||
| 67 | .flags = IMA_FUNC | IMA_MASK}, | 67 | .flags = IMA_FUNC | IMA_MASK}, |
| 68 | {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, | 68 | {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, |
| 69 | .flags = IMA_FUNC | IMA_MASK}, | 69 | .flags = IMA_FUNC | IMA_MASK}, |
| 70 | {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0, | 70 | {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0, |
| 71 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, | 71 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, |
| 72 | }; | 72 | }; |
| 73 | 73 | ||
| @@ -282,8 +282,11 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) | |||
| 282 | break; | 282 | break; |
| 283 | case Opt_func: | 283 | case Opt_func: |
| 284 | audit_log_format(ab, "func=%s ", args[0].from); | 284 | audit_log_format(ab, "func=%s ", args[0].from); |
| 285 | if (strcmp(args[0].from, "PATH_CHECK") == 0) | 285 | if (strcmp(args[0].from, "FILE_CHECK") == 0) |
| 286 | entry->func = PATH_CHECK; | 286 | entry->func = FILE_CHECK; |
| 287 | /* PATH_CHECK is for backwards compat */ | ||
| 288 | else if (strcmp(args[0].from, "PATH_CHECK") == 0) | ||
| 289 | entry->func = FILE_CHECK; | ||
| 287 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) | 290 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) |
| 288 | entry->func = FILE_MMAP; | 291 | entry->func = FILE_MMAP; |
| 289 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) | 292 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) |