[PATCH] integrity: Expose data structures required for include/linux/integrity.h

Casey Schaufler casey at schaufler-ca.com
Tue Dec 17 16:25:01 UTC 2019


On 12/17/2019 5:47 AM, Florent Revest wrote:
> From: Florent Revest <revest at google.com>
>
> include/linux/integrity.h exposes the prototype of integrity_inode_get().
> However, it relies on struct integrity_iint_cache which is currently
> defined in an internal header, security/integrity/integrity.h.
>
> To allow the rest of the kernel to use integrity_inode_get,

Why do you want to do this?

>  this patch
> moves the definition of the necessary structures from a private header
> to a global kernel header.
>
> Signed-off-by: Florent Revest <revest at google.com>
> ---
>  include/linux/integrity.h      | 37 ++++++++++++++++++++++++++++++++++
>  security/integrity/integrity.h | 37 ----------------------------------
>  2 files changed, 37 insertions(+), 37 deletions(-)
>
> diff --git a/include/linux/integrity.h b/include/linux/integrity.h
> index 2271939c5c31..15a0d5e91737 100644
> --- a/include/linux/integrity.h
> +++ b/include/linux/integrity.h
> @@ -18,6 +18,43 @@ enum integrity_status {
>  	INTEGRITY_UNKNOWN,
>  };
>  
> +#define IMA_MAX_DIGEST_SIZE	64
> +
> +struct ima_digest_data {
> +	u8 algo;
> +	u8 length;
> +	union {
> +		struct {
> +			u8 unused;
> +			u8 type;
> +		} sha1;
> +		struct {
> +			u8 type;
> +			u8 algo;
> +		} ng;
> +		u8 data[2];
> +	} xattr;
> +	u8 digest[0];
> +} __packed;
> +
> +/* integrity data associated with an inode */
> +struct integrity_iint_cache {
> +	struct rb_node rb_node;	/* rooted in integrity_iint_tree */
> +	struct mutex mutex;	/* protects: version, flags, digest */
> +	struct inode *inode;	/* back pointer to inode in question */
> +	u64 version;		/* track inode changes */
> +	unsigned long flags;
> +	unsigned long measured_pcrs;
> +	unsigned long atomic_flags;
> +	enum integrity_status ima_file_status:4;
> +	enum integrity_status ima_mmap_status:4;
> +	enum integrity_status ima_bprm_status:4;
> +	enum integrity_status ima_read_status:4;
> +	enum integrity_status ima_creds_status:4;
> +	enum integrity_status evm_status:4;
> +	struct ima_digest_data *ima_hash;
> +};
> +
>  /* List of EVM protected security xattrs */
>  #ifdef CONFIG_INTEGRITY
>  extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 65377848fbc5..2d5e69ab4646 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -77,25 +77,6 @@ struct evm_ima_xattr_data {
>  	u8 digest[SHA1_DIGEST_SIZE];
>  } __packed;
>  
> -#define IMA_MAX_DIGEST_SIZE	64
> -
> -struct ima_digest_data {
> -	u8 algo;
> -	u8 length;
> -	union {
> -		struct {
> -			u8 unused;
> -			u8 type;
> -		} sha1;
> -		struct {
> -			u8 type;
> -			u8 algo;
> -		} ng;
> -		u8 data[2];
> -	} xattr;
> -	u8 digest[0];
> -} __packed;
> -
>  /*
>   * signature format v2 - for using with asymmetric keys
>   */
> @@ -108,24 +89,6 @@ struct signature_v2_hdr {
>  	uint8_t sig[0];		/* signature payload */
>  } __packed;
>  
> -/* integrity data associated with an inode */
> -struct integrity_iint_cache {
> -	struct rb_node rb_node;	/* rooted in integrity_iint_tree */
> -	struct mutex mutex;	/* protects: version, flags, digest */
> -	struct inode *inode;	/* back pointer to inode in question */
> -	u64 version;		/* track inode changes */
> -	unsigned long flags;
> -	unsigned long measured_pcrs;
> -	unsigned long atomic_flags;
> -	enum integrity_status ima_file_status:4;
> -	enum integrity_status ima_mmap_status:4;
> -	enum integrity_status ima_bprm_status:4;
> -	enum integrity_status ima_read_status:4;
> -	enum integrity_status ima_creds_status:4;
> -	enum integrity_status evm_status:4;
> -	struct ima_digest_data *ima_hash;
> -};
> -
>  /* rbtree tree calls to lookup, insert, delete
>   * integrity data associated with an inode.
>   */



More information about the Linux-security-module-archive mailing list