aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima.h2
-rw-r--r--security/integrity/ima/ima_api.c4
-rw-r--r--security/integrity/ima/ima_main.c21
-rw-r--r--security/integrity/ima/ima_policy.c3
-rw-r--r--security/security.c7
5 files changed, 33 insertions, 4 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 6ee8826662cc..3b2adb794f15 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -127,7 +127,7 @@ struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
127struct integrity_iint_cache *integrity_iint_find(struct inode *inode); 127struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
128 128
129/* IMA policy related functions */ 129/* IMA policy related functions */
130enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK, POST_SETATTR }; 130enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK, MODULE_CHECK, POST_SETATTR };
131 131
132int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, 132int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
133 int flags); 133 int flags);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index b356884fb3ef..0cea3db21657 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -100,12 +100,12 @@ err_out:
100 * ima_get_action - appraise & measure decision based on policy. 100 * ima_get_action - appraise & measure decision based on policy.
101 * @inode: pointer to inode to measure 101 * @inode: pointer to inode to measure
102 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) 102 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
103 * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP) 103 * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP, MODULE_CHECK)
104 * 104 *
105 * The policy is defined in terms of keypairs: 105 * The policy is defined in terms of keypairs:
106 * subj=, obj=, type=, func=, mask=, fsmagic= 106 * subj=, obj=, type=, func=, mask=, fsmagic=
107 * subj,obj, and type: are LSM specific. 107 * subj,obj, and type: are LSM specific.
108 * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP 108 * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP | MODULE_CHECK
109 * mask: contains the permission mask 109 * mask: contains the permission mask
110 * fsmagic: hex value 110 * fsmagic: hex value
111 * 111 *
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 73c9a268253e..45de18e9a6f2 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -280,6 +280,27 @@ int ima_file_check(struct file *file, int mask)
280} 280}
281EXPORT_SYMBOL_GPL(ima_file_check); 281EXPORT_SYMBOL_GPL(ima_file_check);
282 282
283/**
284 * ima_module_check - based on policy, collect/store/appraise measurement.
285 * @file: pointer to the file to be measured/appraised
286 *
287 * Measure/appraise kernel modules based on policy.
288 *
289 * Always return 0 and audit dentry_open failures.
290 * Return code is based upon measurement appraisal.
291 */
292int ima_module_check(struct file *file)
293{
294 int rc;
295
296 if (!file)
297 rc = INTEGRITY_UNKNOWN;
298 else
299 rc = process_measurement(file, file->f_dentry->d_name.name,
300 MAY_EXEC, MODULE_CHECK);
301 return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
302}
303
283static int __init init_ima(void) 304static int __init init_ima(void)
284{ 305{
285 int error; 306 int error;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index c7dacd2eab7a..af7d182d5a46 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -80,6 +80,7 @@ static struct ima_rule_entry default_rules[] = {
80 .flags = IMA_FUNC | IMA_MASK}, 80 .flags = IMA_FUNC | IMA_MASK},
81 {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID, 81 {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID,
82 .flags = IMA_FUNC | IMA_MASK | IMA_UID}, 82 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
83 {.action = MEASURE,.func = MODULE_CHECK, .flags = IMA_FUNC},
83}; 84};
84 85
85static struct ima_rule_entry default_appraise_rules[] = { 86static struct ima_rule_entry default_appraise_rules[] = {
@@ -401,6 +402,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
401 /* PATH_CHECK is for backwards compat */ 402 /* PATH_CHECK is for backwards compat */
402 else if (strcmp(args[0].from, "PATH_CHECK") == 0) 403 else if (strcmp(args[0].from, "PATH_CHECK") == 0)
403 entry->func = FILE_CHECK; 404 entry->func = FILE_CHECK;
405 else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
406 entry->func = MODULE_CHECK;
404 else if (strcmp(args[0].from, "FILE_MMAP") == 0) 407 else if (strcmp(args[0].from, "FILE_MMAP") == 0)
405 entry->func = FILE_MMAP; 408 entry->func = FILE_MMAP;
406 else if (strcmp(args[0].from, "BPRM_CHECK") == 0) 409 else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
diff --git a/security/security.c b/security/security.c
index ce88630de15d..daa97f4ac9d1 100644
--- a/security/security.c
+++ b/security/security.c
@@ -822,7 +822,12 @@ int security_kernel_module_request(char *kmod_name)
822 822
823int security_kernel_module_from_file(struct file *file) 823int security_kernel_module_from_file(struct file *file)
824{ 824{
825 return security_ops->kernel_module_from_file(file); 825 int ret;
826
827 ret = security_ops->kernel_module_from_file(file);
828 if (ret)
829 return ret;
830 return ima_module_check(file);
826} 831}
827 832
828int security_task_fix_setuid(struct cred *new, const struct cred *old, 833int security_task_fix_setuid(struct cred *new, const struct cred *old,
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-25 04:30:06 -0400