5 files changed, 155 insertions, 19 deletions
diff --git a/include/linux/evm.h b/include/linux/evm.h
new file mode 100644
index 000000000000..db5556dcdd27
--- /dev/null
+++ b/include/linux/evm.h
@@ -0,0 +1,92 @@
+/*
+ * evm.h
+ *
+ * Copyright (c) 2009 IBM Corporation
+ * Author: Mimi Zohar <zohar@us.ibm.com>
+ */
+#ifndef _LINUX_EVM_H
+#define _LINUX_EVM_H
+#include <linux/integrity.h>
+#include <linux/xattr.h>
+struct integrity_iint_cache;
+#ifdef CONFIG_EVM
+extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
+                                             const char *xattr_name,
+                                             void *xattr_value,
+                                             size_t xattr_value_len,
+                                             struct integrity_iint_cache *iint);
+extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr);
+extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
+extern int evm_inode_setxattr(struct dentry *dentry, const char *name,
+                              const void *value, size_t size);
+extern void evm_inode_post_setxattr(struct dentry *dentry,
+                                    const char *xattr_name,
+                                    const void *xattr_value,
+                                    size_t xattr_value_len);
+extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name);
+extern void evm_inode_post_removexattr(struct dentry *dentry,
+                                       const char *xattr_name);
+extern int evm_inode_init_security(struct inode *inode,
+                                   const struct xattr *xattr_array,
+                                   struct xattr *evm);
+#else
+#ifdef CONFIG_INTEGRITY
+static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
+                                                    const char *xattr_name,
+                                                    void *xattr_value,
+                                                    size_t xattr_value_len,
+                                        struct integrity_iint_cache *iint)
+{
+        return INTEGRITY_UNKNOWN;
+}
+#endif
+static int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
+{
+        return 0;
+}
+static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
+{
+        return;
+}
+static inline int evm_inode_setxattr(struct dentry *dentry, const char *name,
+                                     const void *value, size_t size)
+{
+        return 0;
+}
+static inline void evm_inode_post_setxattr(struct dentry *dentry,
+                                           const char *xattr_name,
+                                           const void *xattr_value,
+                                           size_t xattr_value_len)
+{
+        return;
+}
+static inline int evm_inode_removexattr(struct dentry *dentry,
+                                        const char *xattr_name)
+{
+        return 0;
+}
+static inline void evm_inode_post_removexattr(struct dentry *dentry,
+                                              const char *xattr_name)
+{
+        return;
+}
+static inline int evm_inode_init_security(struct inode *inode,
+                                          const struct xattr *xattr_array,
+                                          struct xattr *evm)
+{
+        return -EOPNOTSUPP;
+}
+#endif /* CONFIG_EVM_H */
+#endif /* LINUX_EVM_H */
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 09e6e62f9953..6ac8e50c6cf5 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -15,8 +15,6 @@ struct linux_binprm;
 #ifdef CONFIG_IMA
 extern int ima_bprm_check(struct linux_binprm *bprm);
-extern int ima_inode_alloc(struct inode *inode);
-extern void ima_inode_free(struct inode *inode);
 extern int ima_file_check(struct file *file, int mask);
 extern void ima_file_free(struct file *file);
 extern int ima_file_mmap(struct file *file, unsigned long prot);
@@ -27,16 +25,6 @@ static inline int ima_bprm_check(struct linux_binprm *bprm)
        return 0;
 }
-static inline int ima_inode_alloc(struct inode *inode)
-{
-        return 0;
-}
-static inline void ima_inode_free(struct inode *inode)
-{
-        return;
-}
 static inline int ima_file_check(struct file *file, int mask)
 {
        return 0;
@@ -51,6 +39,5 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
 {
        return 0;
 }
 #endif /* CONFIG_IMA_H */
 #endif /* _LINUX_IMA_H */
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
new file mode 100644
index 000000000000..968443385678
--- /dev/null
+++ b/include/linux/integrity.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2009 IBM Corporation
+ * Author: Mimi Zohar <zohar@us.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ */
+#ifndef _LINUX_INTEGRITY_H
+#define _LINUX_INTEGRITY_H
+#include <linux/fs.h>
+enum integrity_status {
+        INTEGRITY_PASS = 0,
+        INTEGRITY_FAIL,
+        INTEGRITY_NOLABEL,
+        INTEGRITY_UNKNOWN,
+};
+/* List of EVM protected security xattrs */
+#ifdef CONFIG_INTEGRITY
+extern int integrity_inode_alloc(struct inode *inode);
+extern void integrity_inode_free(struct inode *inode);
+#else
+static inline int integrity_inode_alloc(struct inode *inode)
+{
+        return 0;
+}
+static inline void integrity_inode_free(struct inode *inode)
+{
+        return;
+}
+#endif /* CONFIG_INTEGRITY_H */
+#endif /* _LINUX_INTEGRITY_H */
diff --git a/include/linux/security.h b/include/linux/security.h
index ebd2a53a3d07..1c528b19a329 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -36,6 +36,7 @@
 #include <linux/key.h>
 #include <linux/xfrm.h>
 #include <linux/slab.h>
+#include <linux/xattr.h>
 #include <net/flow.h>
 /* Maximum number of letters for an LSM name string */
@@ -147,6 +148,10 @@ extern int mmap_min_addr_handler(struct ctl_table *table, int write,
                                 void __user *buffer, size_t *lenp, loff_t *ppos);
 #endif
+/* security_inode_init_security callback function to write xattrs */
+typedef int (*initxattrs) (struct inode *inode,
+                           const struct xattr *xattr_array, void *fs_data);
 #ifdef CONFIG_SECURITY
 struct security_mnt_opts {
@@ -1704,8 +1709,11 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
 int security_inode_alloc(struct inode *inode);
 void security_inode_free(struct inode *inode);
 int security_inode_init_security(struct inode *inode, struct inode *dir,
-                                 const struct qstr *qstr, char **name,
+                                 const struct qstr *qstr,
-                                 void **value, size_t *len);
+                                 initxattrs initxattrs, void *fs_data);
+int security_old_inode_init_security(struct inode *inode, struct inode *dir,
+                                     const struct qstr *qstr, char **name,
+                                     void **value, size_t *len);
 int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
 int security_inode_link(struct dentry *old_dentry, struct inode *dir,
                         struct dentry *new_dentry);
@@ -2034,9 +2042,8 @@ static inline void security_inode_free(struct inode *inode)
 static inline int security_inode_init_security(struct inode *inode,
                                                struct inode *dir,
                                                const struct qstr *qstr,
-                                                char **name,
+                                                initxattrs initxattrs,
-                                                void **value,
+                                                void *fs_data)
-                                                size_t *len)
 {
        return -EOPNOTSUPP;
 }
diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index aed54c50aa66..b20cb965c322 100644
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -30,6 +30,9 @@
 #define XATTR_USER_PREFIX_LEN (sizeof (XATTR_USER_PREFIX) - 1)
 /* Security namespace */
+#define XATTR_EVM_SUFFIX "evm"
+#define XATTR_NAME_EVM XATTR_SECURITY_PREFIX XATTR_EVM_SUFFIX
 #define XATTR_SELINUX_SUFFIX "selinux"
 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
@@ -67,6 +70,12 @@ struct xattr_handler {
                   size_t size, int flags, int handler_flags);
 };
+struct xattr {
+        char *name;
+        void *value;
+        size_t value_len;
+};
 ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t);
 ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);
 ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
@@ -78,7 +87,10 @@ ssize_t generic_getxattr(struct dentry *dentry, const char *name, void *buffer,
 ssize_t generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size);
 int generic_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags);
 int generic_removexattr(struct dentry *dentry, const char *name);
+ssize_t vfs_getxattr_alloc(struct dentry *dentry, const char *name,
+                           char **xattr_value, size_t size, gfp_t flags);
+int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name,
+                  const char *value, size_t size, gfp_t flags);
 #endif  /*  __KERNEL__  */
 #endif  /* _LINUX_XATTR_H */

diff --git a/include/linux/evm.h b/include/linux/evm.h new file mode 100644 index 000000000000..db5556dcdd27 --- /dev/null +++ b/include/linux/evm.h
@@ -0,0 +1,92 @@
		1	/*
		2	* evm.h
		3	*
		4	* Copyright (c) 2009 IBM Corporation
		5	* Author: Mimi Zohar <zohar@us.ibm.com>
		6	*/
		7
		8	#ifndef _LINUX_EVM_H
		9	#define _LINUX_EVM_H
		10
		11	#include <linux/integrity.h>
		12	#include <linux/xattr.h>
		13
		14	struct integrity_iint_cache;
		15
		16	#ifdef CONFIG_EVM
		17	extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
		18	const char *xattr_name,
		19	void *xattr_value,
		20	size_t xattr_value_len,
		21	struct integrity_iint_cache *iint);
		22	extern int evm_inode_setattr(struct dentry dentry, struct iattr attr);
		23	extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
		24	extern int evm_inode_setxattr(struct dentry dentry, const char name,
		25	const void *value, size_t size);
		26	extern void evm_inode_post_setxattr(struct dentry *dentry,
		27	const char *xattr_name,
		28	const void *xattr_value,
		29	size_t xattr_value_len);
		30	extern int evm_inode_removexattr(struct dentry dentry, const char xattr_name);
		31	extern void evm_inode_post_removexattr(struct dentry *dentry,
		32	const char *xattr_name);
		33	extern int evm_inode_init_security(struct inode *inode,
		34	const struct xattr *xattr_array,
		35	struct xattr *evm);
		36	#else
		37	#ifdef CONFIG_INTEGRITY
		38	static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
		39	const char *xattr_name,
		40	void *xattr_value,
		41	size_t xattr_value_len,
		42	struct integrity_iint_cache *iint)
		43	{
		44	return INTEGRITY_UNKNOWN;
		45	}
		46	#endif
		47
		48	static int evm_inode_setattr(struct dentry dentry, struct iattr attr)
		49	{
		50	return 0;
		51	}
		52
		53	static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
		54	{
		55	return;
		56	}
		57
		58	static inline int evm_inode_setxattr(struct dentry dentry, const char name,
		59	const void *value, size_t size)
		60	{
		61	return 0;
		62	}
		63
		64	static inline void evm_inode_post_setxattr(struct dentry *dentry,
		65	const char *xattr_name,
		66	const void *xattr_value,
		67	size_t xattr_value_len)
		68	{
		69	return;
		70	}
		71
		72	static inline int evm_inode_removexattr(struct dentry *dentry,
		73	const char *xattr_name)
		74	{
		75	return 0;
		76	}
		77
		78	static inline void evm_inode_post_removexattr(struct dentry *dentry,
		79	const char *xattr_name)
		80	{
		81	return;
		82	}
		83
		84	static inline int evm_inode_init_security(struct inode *inode,
		85	const struct xattr *xattr_array,
		86	struct xattr *evm)
		87	{
		88	return -EOPNOTSUPP;
		89	}
		90
		91	#endif /* CONFIG_EVM_H */
		92	#endif /* LINUX_EVM_H */


diff --git a/include/linux/ima.h b/include/linux/ima.h index 09e6e62f9953..6ac8e50c6cf5 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h
@@ -15,8 +15,6 @@ struct linux_binprm;
15		15
16	#ifdef CONFIG_IMA	16	#ifdef CONFIG_IMA
17	extern int ima_bprm_check(struct linux_binprm *bprm);	17	extern int ima_bprm_check(struct linux_binprm *bprm);
18	extern int ima_inode_alloc(struct inode *inode);
19	extern void ima_inode_free(struct inode *inode);
20	extern int ima_file_check(struct file *file, int mask);	18	extern int ima_file_check(struct file *file, int mask);
21	extern void ima_file_free(struct file *file);	19	extern void ima_file_free(struct file *file);
22	extern int ima_file_mmap(struct file *file, unsigned long prot);	20	extern int ima_file_mmap(struct file *file, unsigned long prot);
@@ -27,16 +25,6 @@ static inline int ima_bprm_check(struct linux_binprm *bprm)
27	return 0;	25	return 0;
28	}	26	}
29		27
30	static inline int ima_inode_alloc(struct inode *inode)
31	{
32	return 0;
33	}
34
35	static inline void ima_inode_free(struct inode *inode)
36	{
37	return;
38	}
39
40	static inline int ima_file_check(struct file *file, int mask)	28	static inline int ima_file_check(struct file *file, int mask)
41	{	29	{
42	return 0;	30	return 0;
@@ -51,6 +39,5 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
51	{	39	{
52	return 0;	40	return 0;
53	}	41	}
54
55	#endif /* CONFIG_IMA_H */	42	#endif /* CONFIG_IMA_H */
56	#endif /* _LINUX_IMA_H */	43	#endif /* _LINUX_IMA_H */


diff --git a/include/linux/integrity.h b/include/linux/integrity.h new file mode 100644 index 000000000000..968443385678 --- /dev/null +++ b/include/linux/integrity.h
@@ -0,0 +1,38 @@
		1	/*
		2	* Copyright (C) 2009 IBM Corporation
		3	* Author: Mimi Zohar <zohar@us.ibm.com>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License as published by
		7	* the Free Software Foundation, version 2 of the License.
		8	*/
		9
		10	#ifndef _LINUX_INTEGRITY_H
		11	#define _LINUX_INTEGRITY_H
		12
		13	#include <linux/fs.h>
		14
		15	enum integrity_status {
		16	INTEGRITY_PASS = 0,
		17	INTEGRITY_FAIL,
		18	INTEGRITY_NOLABEL,
		19	INTEGRITY_UNKNOWN,
		20	};
		21
		22	/* List of EVM protected security xattrs */
		23	#ifdef CONFIG_INTEGRITY
		24	extern int integrity_inode_alloc(struct inode *inode);
		25	extern void integrity_inode_free(struct inode *inode);
		26
		27	#else
		28	static inline int integrity_inode_alloc(struct inode *inode)
		29	{
		30	return 0;
		31	}
		32
		33	static inline void integrity_inode_free(struct inode *inode)
		34	{
		35	return;
		36	}
		37	#endif /* CONFIG_INTEGRITY_H */
		38	#endif /* _LINUX_INTEGRITY_H */


diff --git a/include/linux/security.h b/include/linux/security.h index ebd2a53a3d07..1c528b19a329 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -36,6 +36,7 @@
36	#include <linux/key.h>	36	#include <linux/key.h>
37	#include <linux/xfrm.h>	37	#include <linux/xfrm.h>
38	#include <linux/slab.h>	38	#include <linux/slab.h>
		39	#include <linux/xattr.h>
39	#include <net/flow.h>	40	#include <net/flow.h>
40		41
41	/* Maximum number of letters for an LSM name string */	42	/* Maximum number of letters for an LSM name string */
@@ -147,6 +148,10 @@ extern int mmap_min_addr_handler(struct ctl_table *table, int write,
147	void __user buffer, size_t lenp, loff_t *ppos);	148	void __user buffer, size_t lenp, loff_t *ppos);
148	#endif	149	#endif
149		150
		151	/* security_inode_init_security callback function to write xattrs */
		152	typedef int (initxattrs) (struct inode inode,
		153	const struct xattr xattr_array, void fs_data);
		154
150	#ifdef CONFIG_SECURITY	155	#ifdef CONFIG_SECURITY
151		156
152	struct security_mnt_opts {	157	struct security_mnt_opts {
@@ -1704,8 +1709,11 @@ int security_sb_parse_opts_str(char options, struct security_mnt_opts opts);
1704	int security_inode_alloc(struct inode *inode);	1709	int security_inode_alloc(struct inode *inode);
1705	void security_inode_free(struct inode *inode);	1710	void security_inode_free(struct inode *inode);
1706	int security_inode_init_security(struct inode inode, struct inode dir,	1711	int security_inode_init_security(struct inode inode, struct inode dir,
1707	const struct qstr qstr, char *name,	1712	const struct qstr *qstr,
1708	void *value, size_t len);	1713	initxattrs initxattrs, void *fs_data);
		1714	int security_old_inode_init_security(struct inode inode, struct inode dir,
		1715	const struct qstr qstr, char *name,
		1716	void *value, size_t len);
1709	int security_inode_create(struct inode dir, struct dentry dentry, int mode);	1717	int security_inode_create(struct inode dir, struct dentry dentry, int mode);
1710	int security_inode_link(struct dentry old_dentry, struct inode dir,	1718	int security_inode_link(struct dentry old_dentry, struct inode dir,
1711	struct dentry *new_dentry);	1719	struct dentry *new_dentry);
@@ -2034,9 +2042,8 @@ static inline void security_inode_free(struct inode *inode)
2034	static inline int security_inode_init_security(struct inode *inode,	2042	static inline int security_inode_init_security(struct inode *inode,
2035	struct inode *dir,	2043	struct inode *dir,
2036	const struct qstr *qstr,	2044	const struct qstr *qstr,
2037	char **name,	2045	initxattrs initxattrs,
2038	void **value,	2046	void *fs_data)
2039	size_t *len)
2040	{	2047	{
2041	return -EOPNOTSUPP;	2048	return -EOPNOTSUPP;
2042	}	2049	}


diff --git a/include/linux/xattr.h b/include/linux/xattr.h index aed54c50aa66..b20cb965c322 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h
@@ -30,6 +30,9 @@
30	#define XATTR_USER_PREFIX_LEN (sizeof (XATTR_USER_PREFIX) - 1)	30	#define XATTR_USER_PREFIX_LEN (sizeof (XATTR_USER_PREFIX) - 1)
31		31
32	/* Security namespace */	32	/* Security namespace */
		33	#define XATTR_EVM_SUFFIX "evm"
		34	#define XATTR_NAME_EVM XATTR_SECURITY_PREFIX XATTR_EVM_SUFFIX
		35
33	#define XATTR_SELINUX_SUFFIX "selinux"	36	#define XATTR_SELINUX_SUFFIX "selinux"
34	#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX	37	#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
35		38
@@ -67,6 +70,12 @@ struct xattr_handler {
67	size_t size, int flags, int handler_flags);	70	size_t size, int flags, int handler_flags);
68	};	71	};
69		72
		73	struct xattr {
		74	char *name;
		75	void *value;
		76	size_t value_len;
		77	};
		78
70	ssize_t xattr_getsecurity(struct inode , const char , void *, size_t);	79	ssize_t xattr_getsecurity(struct inode , const char , void *, size_t);
71	ssize_t vfs_getxattr(struct dentry , const char , void *, size_t);	80	ssize_t vfs_getxattr(struct dentry , const char , void *, size_t);
72	ssize_t vfs_listxattr(struct dentry d, char list, size_t size);	81	ssize_t vfs_listxattr(struct dentry d, char list, size_t size);
@@ -78,7 +87,10 @@ ssize_t generic_getxattr(struct dentry dentry, const char name, void *buffer,
78	ssize_t generic_listxattr(struct dentry dentry, char buffer, size_t buffer_size);	87	ssize_t generic_listxattr(struct dentry dentry, char buffer, size_t buffer_size);
79	int generic_setxattr(struct dentry dentry, const char name, const void *value, size_t size, int flags);	88	int generic_setxattr(struct dentry dentry, const char name, const void *value, size_t size, int flags);
80	int generic_removexattr(struct dentry dentry, const char name);	89	int generic_removexattr(struct dentry dentry, const char name);
81		90	ssize_t vfs_getxattr_alloc(struct dentry dentry, const char name,
		91	char **xattr_value, size_t size, gfp_t flags);
		92	int vfs_xattr_cmp(struct dentry dentry, const char xattr_name,
		93	const char *value, size_t size, gfp_t flags);
82	#endif /* __KERNEL__ */	94	#endif /* __KERNEL__ */
83		95
84	#endif /* _LINUX_XATTR_H */	96	#endif /* _LINUX_XATTR_H */