[PATCH] integrity: Expose data structures required for include/linux/integrity.h
Casey Schaufler
casey at schaufler-ca.com
Tue Dec 17 16:25:01 UTC 2019
On 12/17/2019 5:47 AM, Florent Revest wrote:
> From: Florent Revest <revest at google.com>
>
> include/linux/integrity.h exposes the prototype of integrity_inode_get().
> However, it relies on struct integrity_iint_cache which is currently
> defined in an internal header, security/integrity/integrity.h.
>
> To allow the rest of the kernel to use integrity_inode_get,
Why do you want to do this?
> this patch
> moves the definition of the necessary structures from a private header
> to a global kernel header.
>
> Signed-off-by: Florent Revest <revest at google.com>
> ---
> include/linux/integrity.h | 37 ++++++++++++++++++++++++++++++++++
> security/integrity/integrity.h | 37 ----------------------------------
> 2 files changed, 37 insertions(+), 37 deletions(-)
>
> diff --git a/include/linux/integrity.h b/include/linux/integrity.h
> index 2271939c5c31..15a0d5e91737 100644
> --- a/include/linux/integrity.h
> +++ b/include/linux/integrity.h
> @@ -18,6 +18,43 @@ enum integrity_status {
> INTEGRITY_UNKNOWN,
> };
>
> +#define IMA_MAX_DIGEST_SIZE 64
> +
> +struct ima_digest_data {
> + u8 algo;
> + u8 length;
> + union {
> + struct {
> + u8 unused;
> + u8 type;
> + } sha1;
> + struct {
> + u8 type;
> + u8 algo;
> + } ng;
> + u8 data[2];
> + } xattr;
> + u8 digest[0];
> +} __packed;
> +
> +/* integrity data associated with an inode */
> +struct integrity_iint_cache {
> + struct rb_node rb_node; /* rooted in integrity_iint_tree */
> + struct mutex mutex; /* protects: version, flags, digest */
> + struct inode *inode; /* back pointer to inode in question */
> + u64 version; /* track inode changes */
> + unsigned long flags;
> + unsigned long measured_pcrs;
> + unsigned long atomic_flags;
> + enum integrity_status ima_file_status:4;
> + enum integrity_status ima_mmap_status:4;
> + enum integrity_status ima_bprm_status:4;
> + enum integrity_status ima_read_status:4;
> + enum integrity_status ima_creds_status:4;
> + enum integrity_status evm_status:4;
> + struct ima_digest_data *ima_hash;
> +};
> +
> /* List of EVM protected security xattrs */
> #ifdef CONFIG_INTEGRITY
> extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 65377848fbc5..2d5e69ab4646 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -77,25 +77,6 @@ struct evm_ima_xattr_data {
> u8 digest[SHA1_DIGEST_SIZE];
> } __packed;
>
> -#define IMA_MAX_DIGEST_SIZE 64
> -
> -struct ima_digest_data {
> - u8 algo;
> - u8 length;
> - union {
> - struct {
> - u8 unused;
> - u8 type;
> - } sha1;
> - struct {
> - u8 type;
> - u8 algo;
> - } ng;
> - u8 data[2];
> - } xattr;
> - u8 digest[0];
> -} __packed;
> -
> /*
> * signature format v2 - for using with asymmetric keys
> */
> @@ -108,24 +89,6 @@ struct signature_v2_hdr {
> uint8_t sig[0]; /* signature payload */
> } __packed;
>
> -/* integrity data associated with an inode */
> -struct integrity_iint_cache {
> - struct rb_node rb_node; /* rooted in integrity_iint_tree */
> - struct mutex mutex; /* protects: version, flags, digest */
> - struct inode *inode; /* back pointer to inode in question */
> - u64 version; /* track inode changes */
> - unsigned long flags;
> - unsigned long measured_pcrs;
> - unsigned long atomic_flags;
> - enum integrity_status ima_file_status:4;
> - enum integrity_status ima_mmap_status:4;
> - enum integrity_status ima_bprm_status:4;
> - enum integrity_status ima_read_status:4;
> - enum integrity_status ima_creds_status:4;
> - enum integrity_status evm_status:4;
> - struct ima_digest_data *ima_hash;
> -};
> -
> /* rbtree tree calls to lookup, insert, delete
> * integrity data associated with an inode.
> */
More information about the Linux-security-module-archive
mailing list