Skip to content
Permalink
Browse files
integrity: disassociate ima_filter_rule from security_audit_rule
Create real functions for the ima_filter_rule interfaces.
These replace #defines that obscure the reuse of audit
interfaces. The new fuctions are put in security.c because
they use security module registered hooks that we don't
want exported.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
  • Loading branch information
cschaufler authored and intel-lab-lkp committed Dec 14, 2021
1 parent 632cb15 commit dcedf3ce1784c565747e19c7917ddbcd3422b821
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 26 deletions.
@@ -1917,6 +1917,32 @@ static inline void security_audit_rule_free(void *lsmrule)
#endif /* CONFIG_SECURITY */
#endif /* CONFIG_AUDIT */

#ifdef CONFIG_IMA_LSM_RULES
#ifdef CONFIG_SECURITY
int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
void ima_filter_rule_free(void *lsmrule);

#else

static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
void **lsmrule)
{
return 0;
}

static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
void *lsmrule)
{
return 0;
}

static inline void ima_filter_rule_free(void *lsmrule)
{ }

#endif /* CONFIG_SECURITY */
#endif /* CONFIG_IMA_LSM_RULES */

#ifdef CONFIG_SECURITYFS

extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
@@ -418,32 +418,6 @@ static inline void ima_free_modsig(struct modsig *modsig)
}
#endif /* CONFIG_IMA_APPRAISE_MODSIG */

/* LSM based policy rules require audit */
#ifdef CONFIG_IMA_LSM_RULES

#define ima_filter_rule_init security_audit_rule_init
#define ima_filter_rule_free security_audit_rule_free
#define ima_filter_rule_match security_audit_rule_match

#else

static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
void **lsmrule)
{
return -EINVAL;
}

static inline void ima_filter_rule_free(void *lsmrule)
{
}

static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
void *lsmrule)
{
return -EINVAL;
}
#endif /* CONFIG_IMA_LSM_RULES */

#ifdef CONFIG_IMA_READ_POLICY
#define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR)
#else
@@ -2563,6 +2563,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
}
#endif /* CONFIG_AUDIT */

#ifdef CONFIG_IMA_LSM_RULES
/*
* The integrity subsystem uses the same hooks as
* the audit subsystem.
*/
int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
}

void ima_filter_rule_free(void *lsmrule)
{
call_void_hook(audit_rule_free, lsmrule);
}

int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
{
return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
}
#endif /* CONFIG_IMA_LSM_RULES */

#ifdef CONFIG_BPF_SYSCALL
int security_bpf(int cmd, union bpf_attr *attr, unsigned int size)
{

0 comments on commit dcedf3c

Please sign in to comment.