integrity: IMA hooks

This patch replaces the generic integrity hooks, for which IMA registered
itself, with IMA integrity hooks in the appropriate places directly
in the fs directory.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Mimi Zohar 2009-02-04 09:06:57 -05:00 committed by James Morris
parent 659aaf2bb5
commit 6146f0d5e4
7 changed files with 86 additions and 7 deletions

View File

@ -44,6 +44,7 @@ parameter is applicable:
FB The frame buffer device is enabled. FB The frame buffer device is enabled.
HW Appropriate hardware is enabled. HW Appropriate hardware is enabled.
IA-64 IA-64 architecture is enabled. IA-64 IA-64 architecture is enabled.
IMA Integrity measurement architecture is enabled.
IOSCHED More than one I/O scheduler is enabled. IOSCHED More than one I/O scheduler is enabled.
IP_PNP IP DHCP, BOOTP, or RARP is enabled. IP_PNP IP DHCP, BOOTP, or RARP is enabled.
ISAPNP ISA PnP code is enabled. ISAPNP ISA PnP code is enabled.

View File

@ -45,6 +45,7 @@
#include <linux/proc_fs.h> #include <linux/proc_fs.h>
#include <linux/mount.h> #include <linux/mount.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/tsacct_kern.h> #include <linux/tsacct_kern.h>
#include <linux/cn_proc.h> #include <linux/cn_proc.h>
@ -128,6 +129,9 @@ asmlinkage long sys_uselib(const char __user * library)
goto exit; goto exit;
error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN); error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN);
if (error)
goto exit;
error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN);
if (error) if (error)
goto exit; goto exit;
@ -681,6 +685,9 @@ struct file *open_exec(const char *name)
goto out_path_put; goto out_path_put;
err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN); err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN);
if (err)
goto out_path_put;
err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN);
if (err) if (err)
goto out_path_put; goto out_path_put;
@ -1207,6 +1214,9 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
} }
#endif #endif
retval = security_bprm_check(bprm); retval = security_bprm_check(bprm);
if (retval)
return retval;
retval = ima_bprm_check(bprm);
if (retval) if (retval)
return retval; return retval;

View File

@ -13,6 +13,7 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/eventpoll.h> #include <linux/eventpoll.h>
#include <linux/rcupdate.h> #include <linux/rcupdate.h>
#include <linux/mount.h> #include <linux/mount.h>
@ -276,6 +277,7 @@ void __fput(struct file *file)
if (file->f_op && file->f_op->release) if (file->f_op && file->f_op->release)
file->f_op->release(inode, file); file->f_op->release(inode, file);
security_file_free(file); security_file_free(file);
ima_file_free(file);
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL)) if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
cdev_put(inode->i_cdev); cdev_put(inode->i_cdev);
fops_put(file->f_op); fops_put(file->f_op);

View File

@ -17,6 +17,7 @@
#include <linux/hash.h> #include <linux/hash.h>
#include <linux/swap.h> #include <linux/swap.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/pagemap.h> #include <linux/pagemap.h>
#include <linux/cdev.h> #include <linux/cdev.h>
#include <linux/bootmem.h> #include <linux/bootmem.h>
@ -144,13 +145,13 @@ struct inode *inode_init_always(struct super_block *sb, struct inode *inode)
inode->i_cdev = NULL; inode->i_cdev = NULL;
inode->i_rdev = 0; inode->i_rdev = 0;
inode->dirtied_when = 0; inode->dirtied_when = 0;
if (security_inode_alloc(inode)) {
if (inode->i_sb->s_op->destroy_inode) if (security_inode_alloc(inode))
inode->i_sb->s_op->destroy_inode(inode); goto out_free_inode;
else
kmem_cache_free(inode_cachep, (inode)); /* allocate and initialize an i_integrity */
return NULL; if (ima_inode_alloc(inode))
} goto out_free_security;
spin_lock_init(&inode->i_lock); spin_lock_init(&inode->i_lock);
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
@ -186,6 +187,15 @@ struct inode *inode_init_always(struct super_block *sb, struct inode *inode)
inode->i_mapping = mapping; inode->i_mapping = mapping;
return inode; return inode;
out_free_security:
security_inode_free(inode);
out_free_inode:
if (inode->i_sb->s_op->destroy_inode)
inode->i_sb->s_op->destroy_inode(inode);
else
kmem_cache_free(inode_cachep, (inode));
return NULL;
} }
EXPORT_SYMBOL(inode_init_always); EXPORT_SYMBOL(inode_init_always);

View File

@ -24,6 +24,7 @@
#include <linux/fsnotify.h> #include <linux/fsnotify.h>
#include <linux/personality.h> #include <linux/personality.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/mount.h> #include <linux/mount.h>
#include <linux/audit.h> #include <linux/audit.h>
@ -860,6 +861,8 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
err = exec_permission_lite(inode); err = exec_permission_lite(inode);
if (err == -EAGAIN) if (err == -EAGAIN)
err = vfs_permission(nd, MAY_EXEC); err = vfs_permission(nd, MAY_EXEC);
if (!err)
err = ima_path_check(&nd->path, MAY_EXEC);
if (err) if (err)
break; break;
@ -1525,6 +1528,11 @@ int may_open(struct nameidata *nd, int acc_mode, int flag)
error = vfs_permission(nd, acc_mode); error = vfs_permission(nd, acc_mode);
if (error) if (error)
return error; return error;
error = ima_path_check(&nd->path,
acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
if (error)
return error;
/* /*
* An append-only file must be opened in append mode for writing. * An append-only file must be opened in append mode for writing.
*/ */

44
include/linux/ima.h Normal file
View File

@ -0,0 +1,44 @@
/*
* Copyright (C) 2008 IBM Corporation
* Author: Mimi Zohar <zohar@us.ibm.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2 of the License.
*/
#include <linux/fs.h>
#ifndef _LINUX_IMA_H
#define _LINUX_IMA_H
static inline int ima_bprm_check(struct linux_binprm *bprm)
{
return 0;
}
static inline int ima_inode_alloc(struct inode *inode)
{
return 0;
}
static inline void ima_inode_free(struct inode *inode)
{
return;
}
static inline int ima_path_check(struct path *path, int mask)
{
return 0;
}
static inline void ima_file_free(struct file *file)
{
return;
}
static inline int ima_file_mmap(struct file *file, unsigned long prot)
{
return 0;
}
#endif /* _LINUX_IMA_H */

View File

@ -20,6 +20,7 @@
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/personality.h> #include <linux/personality.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/ima.h>
#include <linux/hugetlb.h> #include <linux/hugetlb.h>
#include <linux/profile.h> #include <linux/profile.h>
#include <linux/module.h> #include <linux/module.h>
@ -1048,6 +1049,9 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr,
} }
error = security_file_mmap(file, reqprot, prot, flags, addr, 0); error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
if (error)
return error;
error = ima_file_mmap(file, prot);
if (error) if (error)
return error; return error;