diff options
| author |   Linus Torvalds <torvalds@linux-foundation.org> | 2015-06-27 13:26:03 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-06-27 13:26:03 -0700 |
| commit | e22619a29fcdb513b7bc020e84225bb3b5914259 (patch) | |
| tree | 1d1d72a4c8cebad4f2d2bf738395ca4ececa95ec /security/integrity/ima/ima_api.c | |
| parent | Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus (diff) | |
| parent | Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next (diff) | |
| download | linux-dev-e22619a29fcdb513b7bc020e84225bb3b5914259.tar.xz linux-dev-e22619a29fcdb513b7bc020e84225bb3b5914259.zip | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"The main change in this kernel is Casey's generalized LSM stacking
work, which removes the hard-coding of Capabilities and Yama stacking,
allowing multiple arbitrary "small" LSMs to be stacked with a default
monolithic module (e.g. SELinux, Smack, AppArmor).
See
https://lwn.net/Articles/636056/
This will allow smaller, simpler LSMs to be incorporated into the
mainline kernel and arbitrarily stacked by users. Also, this is a
useful cleanup of the LSM code in its own right"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits)
tpm, tpm_crb: fix le64_to_cpu conversions in crb_acpi_add()
vTPM: set virtual device before passing to ibmvtpm_reset_crq
tpm_ibmvtpm: remove unneccessary message level.
ima: update builtin policies
ima: extend "mask" policy matching support
ima: add support for new "euid" policy condition
ima: fix ima_show_template_data_ascii()
Smack: freeing an error pointer in smk_write_revoke_subj()
selinux: fix setting of security labels on NFS
selinux: Remove unused permission definitions
selinux: enable genfscon labeling for sysfs and pstore files
selinux: enable per-file labeling for debugfs files.
selinux: update netlink socket classes
signals: don't abuse __flush_signals() in selinux_bprm_committed_creds()
selinux: Print 'sclass' as string when unrecognized netlink message occurs
Smack: allow multiple labels in onlycap
Smack: fix seq operations in smackfs
ima: pass iint to ima_add_violation()
ima: wrap event related data to the new ima_event_data structure
integrity: add validity checks for 'path' parameter
...
Diffstat (limited to 'security/integrity/ima/ima_api.c')
| -rw-r--r-- | security/integrity/ima/ima_api.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index b8a27c5052d4..1d950fbb2aec 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -37,10 +37,8 @@ void ima_free_template_entry(struct ima_template_entry *entry) /* * ima_alloc_init_template - create and initialize a new template entry */ -int ima_alloc_init_template(struct integrity_iint_cache *iint, - struct file *file, const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, - int xattr_len, struct ima_template_entry **entry) +int ima_alloc_init_template(struct ima_event_data *event_data, + struct ima_template_entry **entry) { struct ima_template_desc *template_desc = ima_template_desc_current(); int i, result = 0; @@ -55,8 +53,7 @@ int ima_alloc_init_template(struct integrity_iint_cache *iint, struct ima_template_field *field = template_desc->fields[i]; u32 len; - result = field->field_init(iint, file, filename, - xattr_value, xattr_len, + result = field->field_init(event_data, &((*entry)->template_data[i])); if (result != 0) goto out; @@ -129,18 +126,20 @@ int ima_store_template(struct ima_template_entry *entry, * value is invalidated. */ void ima_add_violation(struct file *file, const unsigned char *filename, + struct integrity_iint_cache *iint, const char *op, const char *cause) { struct ima_template_entry *entry; struct inode *inode = file_inode(file); + struct ima_event_data event_data = {iint, file, filename, NULL, 0, + cause}; int violation = 1; int result; /* can overflow, only indicator */ atomic_long_inc(&ima_htable.violations); - result = ima_alloc_init_template(NULL, file, filename, - NULL, 0, &entry); + result = ima_alloc_init_template(&event_data, &entry); if (result < 0) { result = -ENOMEM; goto err_out; @@ -267,13 +266,14 @@ void ima_store_measurement(struct integrity_iint_cache *iint, int result = -ENOMEM; struct inode *inode = file_inode(file); struct ima_template_entry *entry; + struct ima_event_data event_data = {iint, file, filename, xattr_value, + xattr_len, NULL}; int violation = 0; if (iint->flags & IMA_MEASURED) return; - result = ima_alloc_init_template(iint, file, filename, - xattr_value, xattr_len, &entry); + result = ima_alloc_init_template(&event_data, &entry); if (result < 0) { integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, op, audit_cause, result, 0); |