Commit cd3cec0a authored by Roberto Sassu's avatar Roberto Sassu Committed by Paul Moore

ima: Move to LSM infrastructure

Move hardcoded IMA function calls (not appraisal-specific functions) from
various places in the kernel to the LSM infrastructure, by introducing a
new LSM named 'ima' (at the end of the LSM list and always enabled like
'integrity').

Having IMA before EVM in the Makefile is sufficient to preserve the
relative order of the new 'ima' LSM in respect to the upcoming 'evm' LSM,
and thus the order of IMA and EVM function calls as when they were
hardcoded.

Make moved functions as static (except ima_post_key_create_or_update(),
which is not in ima_main.c), and register them as implementation of the
respective hooks in the new function init_ima_lsm().

Select CONFIG_SECURITY_PATH, to ensure that the path-based LSM hook
path_post_mknod is always available and ima_post_path_mknod() is always
executed to mark files as new, as before the move.

A slight difference is that IMA and EVM functions registered for the
inode_post_setattr, inode_post_removexattr, path_post_mknod,
inode_post_create_tmpfile, inode_post_set_acl and inode_post_remove_acl
won't be executed for private inodes. Since those inodes are supposed to be
fs-internal, they should not be of interest to IMA or EVM. The S_PRIVATE
flag is used for anonymous inodes, hugetlbfs, reiserfs xattrs, XFS scrub
and kernel-internal tmpfs files.

Conditionally register ima_post_key_create_or_update() if
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Also, conditionally register
ima_kernel_module_request() if CONFIG_INTEGRITY_ASYMMETRIC_KEYS is enabled.

Finally, add the LSM_ID_IMA case in lsm_list_modules_test.c.
Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Acked-by: default avatarChuck Lever <chuck.lever@oracle.com>
Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Acked-by: default avatarChristian Brauner <brauner@kernel.org>
Reviewed-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Acked-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 06cca511
...@@ -26,7 +26,6 @@ ...@@ -26,7 +26,6 @@
#include <linux/percpu_counter.h> #include <linux/percpu_counter.h>
#include <linux/percpu.h> #include <linux/percpu.h>
#include <linux/task_work.h> #include <linux/task_work.h>
#include <linux/ima.h>
#include <linux/swap.h> #include <linux/swap.h>
#include <linux/kmemleak.h> #include <linux/kmemleak.h>
...@@ -368,7 +367,6 @@ static void __fput(struct file *file) ...@@ -368,7 +367,6 @@ static void __fput(struct file *file)
locks_remove_file(file); locks_remove_file(file);
security_file_release(file); security_file_release(file);
ima_file_free(file);
if (unlikely(file->f_flags & FASYNC)) { if (unlikely(file->f_flags & FASYNC)) {
if (file->f_op->fasync) if (file->f_op->fasync)
file->f_op->fasync(-1, file, 0); file->f_op->fasync(-1, file, 0);
......
...@@ -27,7 +27,6 @@ ...@@ -27,7 +27,6 @@
#include <linux/fsnotify.h> #include <linux/fsnotify.h>
#include <linux/personality.h> #include <linux/personality.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/mount.h> #include <linux/mount.h>
#include <linux/audit.h> #include <linux/audit.h>
...@@ -3641,8 +3640,6 @@ static int do_open(struct nameidata *nd, ...@@ -3641,8 +3640,6 @@ static int do_open(struct nameidata *nd,
error = vfs_open(&nd->path, file); error = vfs_open(&nd->path, file);
if (!error) if (!error)
error = security_file_post_open(file, op->acc_mode); error = security_file_post_open(file, op->acc_mode);
if (!error)
error = ima_file_check(file, op->acc_mode);
if (!error && do_truncate) if (!error && do_truncate)
error = handle_truncate(idmap, file); error = handle_truncate(idmap, file);
if (unlikely(error > 0)) { if (unlikely(error > 0)) {
...@@ -3706,7 +3703,6 @@ static int vfs_tmpfile(struct mnt_idmap *idmap, ...@@ -3706,7 +3703,6 @@ static int vfs_tmpfile(struct mnt_idmap *idmap,
spin_unlock(&inode->i_lock); spin_unlock(&inode->i_lock);
} }
security_inode_post_create_tmpfile(idmap, inode); security_inode_post_create_tmpfile(idmap, inode);
ima_post_create_tmpfile(idmap, inode);
return 0; return 0;
} }
...@@ -4052,8 +4048,6 @@ static int do_mknodat(int dfd, struct filename *name, umode_t mode, ...@@ -4052,8 +4048,6 @@ static int do_mknodat(int dfd, struct filename *name, umode_t mode,
case 0: case S_IFREG: case 0: case S_IFREG:
error = vfs_create(idmap, path.dentry->d_inode, error = vfs_create(idmap, path.dentry->d_inode,
dentry, mode, true); dentry, mode, true);
if (!error)
ima_post_path_mknod(idmap, dentry);
break; break;
case S_IFCHR: case S_IFBLK: case S_IFCHR: case S_IFBLK:
error = vfs_mknod(idmap, path.dentry->d_inode, error = vfs_mknod(idmap, path.dentry->d_inode,
......
...@@ -25,7 +25,6 @@ ...@@ -25,7 +25,6 @@
#include <linux/posix_acl_xattr.h> #include <linux/posix_acl_xattr.h>
#include <linux/xattr.h> #include <linux/xattr.h>
#include <linux/jhash.h> #include <linux/jhash.h>
#include <linux/ima.h>
#include <linux/pagemap.h> #include <linux/pagemap.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
...@@ -883,12 +882,6 @@ __nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, ...@@ -883,12 +882,6 @@ __nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
goto out; goto out;
} }
host_err = ima_file_check(file, may_flags);
if (host_err) {
fput(file);
goto out;
}
if (may_flags & NFSD_MAY_64BIT_COOKIE) if (may_flags & NFSD_MAY_64BIT_COOKIE)
file->f_mode |= FMODE_64BITHASH; file->f_mode |= FMODE_64BITHASH;
else else
......
...@@ -29,7 +29,6 @@ ...@@ -29,7 +29,6 @@
#include <linux/audit.h> #include <linux/audit.h>
#include <linux/falloc.h> #include <linux/falloc.h>
#include <linux/fs_struct.h> #include <linux/fs_struct.h>
#include <linux/ima.h>
#include <linux/dnotify.h> #include <linux/dnotify.h>
#include <linux/compat.h> #include <linux/compat.h>
#include <linux/mnt_idmapping.h> #include <linux/mnt_idmapping.h>
......
...@@ -16,24 +16,6 @@ struct linux_binprm; ...@@ -16,24 +16,6 @@ struct linux_binprm;
#ifdef CONFIG_IMA #ifdef CONFIG_IMA
extern enum hash_algo ima_get_current_hash_algo(void); extern enum hash_algo ima_get_current_hash_algo(void);
extern int ima_bprm_check(struct linux_binprm *bprm);
extern int ima_file_check(struct file *file, int mask);
extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
struct inode *inode);
extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags);
extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot);
extern int ima_load_data(enum kernel_load_data_id id, bool contents);
extern int ima_post_load_data(char *buf, loff_t size,
enum kernel_load_data_id id, char *description);
extern int ima_read_file(struct file *file, enum kernel_read_file_id id,
bool contents);
extern int ima_post_read_file(struct file *file, char *buf, loff_t size,
enum kernel_read_file_id id);
extern void ima_post_path_mknod(struct mnt_idmap *idmap,
struct dentry *dentry);
extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);
extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size);
extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);
...@@ -58,68 +40,6 @@ static inline enum hash_algo ima_get_current_hash_algo(void) ...@@ -58,68 +40,6 @@ static inline enum hash_algo ima_get_current_hash_algo(void)
return HASH_ALGO__LAST; return HASH_ALGO__LAST;
} }
static inline int ima_bprm_check(struct linux_binprm *bprm)
{
return 0;
}
static inline int ima_file_check(struct file *file, int mask)
{
return 0;
}
static inline void ima_post_create_tmpfile(struct mnt_idmap *idmap,
struct inode *inode)
{
}
static inline void ima_file_free(struct file *file)
{
return;
}
static inline int ima_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags)
{
return 0;
}
static inline int ima_file_mprotect(struct vm_area_struct *vma,
unsigned long reqprot, unsigned long prot)
{
return 0;
}
static inline int ima_load_data(enum kernel_load_data_id id, bool contents)
{
return 0;
}
static inline int ima_post_load_data(char *buf, loff_t size,
enum kernel_load_data_id id,
char *description)
{
return 0;
}
static inline int ima_read_file(struct file *file, enum kernel_read_file_id id,
bool contents)
{
return 0;
}
static inline int ima_post_read_file(struct file *file, char *buf, loff_t size,
enum kernel_read_file_id id)
{
return 0;
}
static inline void ima_post_path_mknod(struct mnt_idmap *idmap,
struct dentry *dentry)
{
return;
}
static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size) static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size)
{ {
return -EOPNOTSUPP; return -EOPNOTSUPP;
...@@ -170,20 +90,6 @@ static inline void ima_add_kexec_buffer(struct kimage *image) ...@@ -170,20 +90,6 @@ static inline void ima_add_kexec_buffer(struct kimage *image)
{} {}
#endif #endif
#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
extern void ima_post_key_create_or_update(struct key *keyring,
struct key *key,
const void *payload, size_t plen,
unsigned long flags, bool create);
#else
static inline void ima_post_key_create_or_update(struct key *keyring,
struct key *key,
const void *payload,
size_t plen,
unsigned long flags,
bool create) {}
#endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */
#ifdef CONFIG_IMA_APPRAISE #ifdef CONFIG_IMA_APPRAISE
extern bool is_ima_appraise_enabled(void); extern bool is_ima_appraise_enabled(void);
extern void ima_inode_post_setattr(struct mnt_idmap *idmap, extern void ima_inode_post_setattr(struct mnt_idmap *idmap,
...@@ -256,14 +162,4 @@ static inline bool ima_appraise_signature(enum kernel_read_file_id func) ...@@ -256,14 +162,4 @@ static inline bool ima_appraise_signature(enum kernel_read_file_id func)
return false; return false;
} }
#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
#if defined(CONFIG_IMA) && defined(CONFIG_INTEGRITY_ASYMMETRIC_KEYS)
extern int ima_kernel_module_request(char *kmod_name);
#else
static inline int ima_kernel_module_request(char *kmod_name)
{
return 0;
}
#endif
#endif /* _LINUX_IMA_H */ #endif /* _LINUX_IMA_H */
...@@ -62,6 +62,7 @@ struct lsm_ctx { ...@@ -62,6 +62,7 @@ struct lsm_ctx {
#define LSM_ID_LOCKDOWN 108 #define LSM_ID_LOCKDOWN 108
#define LSM_ID_BPF 109 #define LSM_ID_BPF 109
#define LSM_ID_LANDLOCK 110 #define LSM_ID_LANDLOCK 110
#define LSM_ID_IMA 111
/* /*
* LSM_ATTR_XXX definitions identify different LSM attributes * LSM_ATTR_XXX definitions identify different LSM attributes
......
...@@ -18,5 +18,6 @@ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o ...@@ -18,5 +18,6 @@ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
platform_certs/load_powerpc.o \ platform_certs/load_powerpc.o \
platform_certs/keyring_handler.o platform_certs/keyring_handler.o
# The relative order of the 'ima' and 'evm' LSMs depends on the order below.
obj-$(CONFIG_IMA) += ima/ obj-$(CONFIG_IMA) += ima/
obj-$(CONFIG_EVM) += evm/ obj-$(CONFIG_EVM) += evm/
...@@ -8,6 +8,7 @@ config IMA ...@@ -8,6 +8,7 @@ config IMA
select CRYPTO_HMAC select CRYPTO_HMAC
select CRYPTO_SHA1 select CRYPTO_SHA1
select CRYPTO_HASH_INFO select CRYPTO_HASH_INFO
select SECURITY_PATH
select TCG_TPM if HAS_IOMEM select TCG_TPM if HAS_IOMEM
select TCG_TIS if TCG_TPM && X86 select TCG_TIS if TCG_TPM && X86
select TCG_CRB if TCG_TPM && ACPI select TCG_CRB if TCG_TPM && ACPI
......
...@@ -127,6 +127,12 @@ void ima_load_kexec_buffer(void); ...@@ -127,6 +127,12 @@ void ima_load_kexec_buffer(void);
static inline void ima_load_kexec_buffer(void) {} static inline void ima_load_kexec_buffer(void) {}
#endif /* CONFIG_HAVE_IMA_KEXEC */ #endif /* CONFIG_HAVE_IMA_KEXEC */
#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
void ima_post_key_create_or_update(struct key *keyring, struct key *key,
const void *payload, size_t plen,
unsigned long flags, bool create);
#endif
/* /*
* The default binary_runtime_measurements list format is defined as the * The default binary_runtime_measurements list format is defined as the
* platform native format. The canonical format is defined as little-endian. * platform native format. The canonical format is defined as little-endian.
......
...@@ -189,7 +189,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, ...@@ -189,7 +189,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
* *
* Flag files that changed, based on i_version * Flag files that changed, based on i_version
*/ */
void ima_file_free(struct file *file) static void ima_file_free(struct file *file)
{ {
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint; struct integrity_iint_cache *iint;
...@@ -427,7 +427,7 @@ static int process_measurement(struct file *file, const struct cred *cred, ...@@ -427,7 +427,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
* On success return 0. On integrity appraisal error, assuming the file * On success return 0. On integrity appraisal error, assuming the file
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
*/ */
int ima_file_mmap(struct file *file, unsigned long reqprot, static int ima_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags) unsigned long prot, unsigned long flags)
{ {
u32 secid; u32 secid;
...@@ -466,7 +466,7 @@ int ima_file_mmap(struct file *file, unsigned long reqprot, ...@@ -466,7 +466,7 @@ int ima_file_mmap(struct file *file, unsigned long reqprot,
* *
* On mprotect change success, return 0. On failure, return -EACESS. * On mprotect change success, return 0. On failure, return -EACESS.
*/ */
int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot) unsigned long prot)
{ {
struct ima_template_desc *template = NULL; struct ima_template_desc *template = NULL;
...@@ -525,7 +525,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, ...@@ -525,7 +525,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
* On success return 0. On integrity appraisal error, assuming the file * On success return 0. On integrity appraisal error, assuming the file
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
*/ */
int ima_bprm_check(struct linux_binprm *bprm) static int ima_bprm_check(struct linux_binprm *bprm)
{ {
int ret; int ret;
u32 secid; u32 secid;
...@@ -551,7 +551,7 @@ int ima_bprm_check(struct linux_binprm *bprm) ...@@ -551,7 +551,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
* On success return 0. On integrity appraisal error, assuming the file * On success return 0. On integrity appraisal error, assuming the file
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
*/ */
int ima_file_check(struct file *file, int mask) static int ima_file_check(struct file *file, int mask)
{ {
u32 secid; u32 secid;
...@@ -560,7 +560,6 @@ int ima_file_check(struct file *file, int mask) ...@@ -560,7 +560,6 @@ int ima_file_check(struct file *file, int mask)
mask & (MAY_READ | MAY_WRITE | MAY_EXEC | mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
MAY_APPEND), FILE_CHECK); MAY_APPEND), FILE_CHECK);
} }
EXPORT_SYMBOL_GPL(ima_file_check);
static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
size_t buf_size) size_t buf_size)
...@@ -685,8 +684,9 @@ EXPORT_SYMBOL_GPL(ima_inode_hash); ...@@ -685,8 +684,9 @@ EXPORT_SYMBOL_GPL(ima_inode_hash);
* Skip calling process_measurement(), but indicate which newly, created * Skip calling process_measurement(), but indicate which newly, created
* tmpfiles are in policy. * tmpfiles are in policy.
*/ */
void ima_post_create_tmpfile(struct mnt_idmap *idmap, static void ima_post_create_tmpfile(struct mnt_idmap *idmap,
struct inode *inode) struct inode *inode)
{ {
struct integrity_iint_cache *iint; struct integrity_iint_cache *iint;
int must_appraise; int must_appraise;
...@@ -717,8 +717,7 @@ void ima_post_create_tmpfile(struct mnt_idmap *idmap, ...@@ -717,8 +717,7 @@ void ima_post_create_tmpfile(struct mnt_idmap *idmap,
* Mark files created via the mknodat syscall as new, so that the * Mark files created via the mknodat syscall as new, so that the
* file data can be written later. * file data can be written later.
*/ */
void ima_post_path_mknod(struct mnt_idmap *idmap, static void ima_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry)
struct dentry *dentry)
{ {
struct integrity_iint_cache *iint; struct integrity_iint_cache *iint;
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
...@@ -753,7 +752,7 @@ void ima_post_path_mknod(struct mnt_idmap *idmap, ...@@ -753,7 +752,7 @@ void ima_post_path_mknod(struct mnt_idmap *idmap,
* *
* For permission return 0, otherwise return -EACCES. * For permission return 0, otherwise return -EACCES.
*/ */
int ima_read_file(struct file *file, enum kernel_read_file_id read_id, static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
bool contents) bool contents)
{ {
enum ima_hooks func; enum ima_hooks func;
...@@ -803,7 +802,7 @@ const int read_idmap[READING_MAX_ID] = { ...@@ -803,7 +802,7 @@ const int read_idmap[READING_MAX_ID] = {
* On success return 0. On integrity appraisal error, assuming the file * On success return 0. On integrity appraisal error, assuming the file
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
*/ */
int ima_post_read_file(struct file *file, char *buf, loff_t size, static int ima_post_read_file(struct file *file, char *buf, loff_t size,
enum kernel_read_file_id read_id) enum kernel_read_file_id read_id)
{ {
enum ima_hooks func; enum ima_hooks func;
...@@ -837,7 +836,7 @@ int ima_post_read_file(struct file *file, char *buf, loff_t size, ...@@ -837,7 +836,7 @@ int ima_post_read_file(struct file *file, char *buf, loff_t size,
* *
* For permission return 0, otherwise return -EACCES. * For permission return 0, otherwise return -EACCES.
*/ */
int ima_load_data(enum kernel_load_data_id id, bool contents) static int ima_load_data(enum kernel_load_data_id id, bool contents)
{ {
bool ima_enforce, sig_enforce; bool ima_enforce, sig_enforce;
...@@ -891,7 +890,7 @@ int ima_load_data(enum kernel_load_data_id id, bool contents) ...@@ -891,7 +890,7 @@ int ima_load_data(enum kernel_load_data_id id, bool contents)
* On success return 0. On integrity appraisal error, assuming the file * On success return 0. On integrity appraisal error, assuming the file
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES. * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
*/ */
int ima_post_load_data(char *buf, loff_t size, static int ima_post_load_data(char *buf, loff_t size,
enum kernel_load_data_id load_id, enum kernel_load_data_id load_id,
char *description) char *description)
{ {
...@@ -1114,7 +1113,7 @@ EXPORT_SYMBOL_GPL(ima_measure_critical_data); ...@@ -1114,7 +1113,7 @@ EXPORT_SYMBOL_GPL(ima_measure_critical_data);
* *
* Return: Zero if it is safe to load the kernel module, -EINVAL otherwise. * Return: Zero if it is safe to load the kernel module, -EINVAL otherwise.
*/ */
int ima_kernel_module_request(char *kmod_name) static int ima_kernel_module_request(char *kmod_name)
{ {
if (strncmp(kmod_name, "crypto-pkcs1pad(rsa,", 20) == 0) if (strncmp(kmod_name, "crypto-pkcs1pad(rsa,", 20) == 0)
return -EINVAL; return -EINVAL;
...@@ -1155,4 +1154,41 @@ static int __init init_ima(void) ...@@ -1155,4 +1154,41 @@ static int __init init_ima(void)
return error; return error;
} }
static struct security_hook_list ima_hooks[] __ro_after_init = {
LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
LSM_HOOK_INIT(file_post_open, ima_file_check),
LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile),
LSM_HOOK_INIT(file_release, ima_file_free),
LSM_HOOK_INIT(mmap_file, ima_file_mmap),
LSM_HOOK_INIT(file_mprotect, ima_file_mprotect),
LSM_HOOK_INIT(kernel_load_data, ima_load_data),
LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data),
LSM_HOOK_INIT(kernel_read_file, ima_read_file),
LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file),
LSM_HOOK_INIT(path_post_mknod, ima_post_path_mknod),
#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update),
#endif
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request),
#endif
};
static const struct lsm_id ima_lsmid = {
.name = "ima",
.id = LSM_ID_IMA,
};
static int __init init_ima_lsm(void)
{
security_add_hooks(ima_hooks, ARRAY_SIZE(ima_hooks), &ima_lsmid);
return 0;
}
DEFINE_LSM(ima) = {
.name = "ima",
.init = init_ima_lsm,
.order = LSM_ORDER_LAST,
};
late_initcall(init_ima); /* Start IMA after the TPM is available */ late_initcall(init_ima); /* Start IMA after the TPM is available */
...@@ -18,6 +18,7 @@ ...@@ -18,6 +18,7 @@
#include <crypto/hash.h> #include <crypto/hash.h>
#include <linux/key.h> #include <linux/key.h>
#include <linux/audit.h> #include <linux/audit.h>
#include <linux/lsm_hooks.h>
/* iint action cache flags */ /* iint action cache flags */
#define IMA_MEASURE 0x00000001 #define IMA_MEASURE 0x00000001
......
...@@ -13,7 +13,6 @@ ...@@ -13,7 +13,6 @@
#include <linux/security.h> #include <linux/security.h>
#include <linux/workqueue.h> #include <linux/workqueue.h>
#include <linux/random.h> #include <linux/random.h>
#include <linux/ima.h>
#include <linux/err.h> #include <linux/err.h>
#include "internal.h" #include "internal.h"
...@@ -932,8 +931,6 @@ static key_ref_t __key_create_or_update(key_ref_t keyring_ref, ...@@ -932,8 +931,6 @@ static key_ref_t __key_create_or_update(key_ref_t keyring_ref,
security_key_post_create_or_update(keyring, key, payload, plen, flags, security_key_post_create_or_update(keyring, key, payload, plen, flags,
true); true);
ima_post_key_create_or_update(keyring, key, payload, plen,
flags, true);
key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
...@@ -965,13 +962,9 @@ static key_ref_t __key_create_or_update(key_ref_t keyring_ref, ...@@ -965,13 +962,9 @@ static key_ref_t __key_create_or_update(key_ref_t keyring_ref,
key_ref = __key_update(key_ref, &prep); key_ref = __key_update(key_ref, &prep);
if (!IS_ERR(key_ref)) { if (!IS_ERR(key_ref))
security_key_post_create_or_update(keyring, key, payload, plen, security_key_post_create_or_update(keyring, key, payload, plen,
flags, false); flags, false);
ima_post_key_create_or_update(keyring, key,
payload, plen,
flags, false);
}
goto error_free_prep; goto error_free_prep;
} }
......
...@@ -50,7 +50,8 @@ ...@@ -50,7 +50,8 @@
(IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
(IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \
(IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
(IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0)) (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \
(IS_ENABLED(CONFIG_IMA) ? 1 : 0))
/* /*
* These are descriptions of the reasons that can be passed to the * These are descriptions of the reasons that can be passed to the
...@@ -1182,12 +1183,7 @@ int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file * ...@@ -1182,12 +1183,7 @@ int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *
*/ */
int security_bprm_check(struct linux_binprm *bprm) int security_bprm_check(struct linux_binprm *bprm)
{ {
int ret; return call_int_hook(bprm_check_security, 0, bprm);
ret = call_int_hook(bprm_check_security, 0, bprm);
if (ret)
return ret;
return ima_bprm_check(bprm);
} }
/** /**
...@@ -2895,13 +2891,8 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot) ...@@ -2895,13 +2891,8 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
int security_mmap_file(struct file *file, unsigned long prot, int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags) unsigned long flags)
{ {
unsigned long prot_adj = mmap_prot(file, prot); return call_int_hook(mmap_file, 0, file, prot, mmap_prot(file, prot),
int ret; flags);
ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags);
if (ret)
return ret;
return ima_file_mmap(file, prot, prot_adj, flags);
} }
/** /**
...@@ -2930,12 +2921,7 @@ int security_mmap_addr(unsigned long addr) ...@@ -2930,12 +2921,7 @@ int security_mmap_addr(unsigned long addr)
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot) unsigned long prot)
{ {
int ret; return call_int_hook(file_mprotect, 0, vma, reqprot, prot);
ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot);
if (ret)
return ret;
return ima_file_mprotect(vma, reqprot, prot);
} }
/** /**
...@@ -3244,12 +3230,7 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode) ...@@ -3244,12 +3230,7 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
*/ */
int security_kernel_module_request(char *kmod_name) int security_kernel_module_request(char *kmod_name)
{ {
int ret; return call_int_hook(kernel_module_request, 0, kmod_name);
ret = call_int_hook(kernel_module_request, 0, kmod_name);
if (ret)
return ret;
return ima_kernel_module_request(kmod_name);
} }
/** /**
...@@ -3265,12 +3246,7 @@ int security_kernel_module_request(char *kmod_name) ...@@ -3265,12 +3246,7 @@ int security_kernel_module_request(char *kmod_name)
int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, int security_kernel_read_file(struct file *file, enum kernel_read_file_id id,
bool contents) bool contents)
{ {
int ret; return call_int_hook(kernel_read_file, 0, file, id, contents);
ret = call_int_hook(kernel_read_file, 0, file, id, contents);
if (ret)
return ret;
return ima_read_file(file, id, contents);
} }
EXPORT_SYMBOL_GPL(security_kernel_read_file); EXPORT_SYMBOL_GPL(security_kernel_read_file);
...@@ -3290,12 +3266,7 @@ EXPORT_SYMBOL_GPL(security_kernel_read_file); ...@@ -3290,12 +3266,7 @@ EXPORT_SYMBOL_GPL(security_kernel_read_file);
int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
enum kernel_read_file_id id) enum kernel_read_file_id id)
{ {
int ret; return call_int_hook(kernel_post_read_file, 0, file, buf, size, id);
ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id);
if (ret)
return ret;
return ima_post_read_file(file, buf, size, id);
} }
EXPORT_SYMBOL_GPL(security_kernel_post_read_file); EXPORT_SYMBOL_GPL(security_kernel_post_read_file);
...@@ -3310,12 +3281,7 @@ EXPORT_SYMBOL_GPL(security_kernel_post_read_file); ...@@ -3310,12 +3281,7 @@ EXPORT_SYMBOL_GPL(security_kernel_post_read_file);
*/ */
int security_kernel_load_data(enum kernel_load_data_id id, bool contents) int security_kernel_load_data(enum kernel_load_data_id id, bool contents)
{ {
int ret; return call_int_hook(kernel_load_data, 0, id, contents);
ret = call_int_hook(kernel_load_data, 0, id, contents);
if (ret)
return ret;
return ima_load_data(id, contents);
} }
EXPORT_SYMBOL_GPL(security_kernel_load_data); EXPORT_SYMBOL_GPL(security_kernel_load_data);
...@@ -3337,13 +3303,8 @@ int security_kernel_post_load_data(char *buf, loff_t size, ...@@ -3337,13 +3303,8 @@ int security_kernel_post_load_data(char *buf, loff_t size,
enum kernel_load_data_id id, enum kernel_load_data_id id,
char *description) char *description)
{ {
int ret; return call_int_hook(kernel_post_load_data, 0, buf, size, id,
ret = call_int_hook(kernel_post_load_data, 0, buf, size, id,
description); description);
if (ret)
return ret;
return ima_post_load_data(buf, size, id, description);
} }
EXPORT_SYMBOL_GPL(security_kernel_post_load_data); EXPORT_SYMBOL_GPL(security_kernel_post_load_data);
......
...@@ -122,6 +122,9 @@ TEST(correct_lsm_list_modules) ...@@ -122,6 +122,9 @@ TEST(correct_lsm_list_modules)
case LSM_ID_LANDLOCK: case LSM_ID_LANDLOCK:
name = "landlock"; name = "landlock";
break; break;
case LSM_ID_IMA:
name = "ima";
break;
default: default:
name = "INVALID"; name = "INVALID";
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment