[PATCH v8 02/19] ima: Define ima_namespace structure and implement basic functions
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue Jan 4 17:03:59 UTC 2022
From: Stefan Berger <stefanb at linux.ibm.com>
Define the initial ima_namespace structure and the ima_namespace
variable init_ima_ns for the host's IMA namespace. Implement basic
functions for namespacing support.
For now let get_current_ns() always returns a pointer to init_ima_ns.
Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
---
security/integrity/ima/Makefile | 2 +-
security/integrity/ima/ima.h | 10 ++++++++++
security/integrity/ima/ima_init.c | 4 ++++
security/integrity/ima/ima_init_ima_ns.c | 23 +++++++++++++++++++++++
4 files changed, 38 insertions(+), 1 deletion(-)
create mode 100644 security/integrity/ima/ima_init_ima_ns.c
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 2499f2485c04..f8a5e5f3975d 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -7,7 +7,7 @@
obj-$(CONFIG_IMA) += ima.o
ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
- ima_policy.o ima_template.o ima_template_lib.o
+ ima_policy.o ima_template.o ima_template_lib.o ima_init_ima_ns.o
ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o
ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index be965a8715e4..c4af3275f015 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -119,6 +119,10 @@ struct ima_kexec_hdr {
u64 count;
};
+struct ima_namespace {
+} __randomize_layout;
+extern struct ima_namespace init_ima_ns;
+
extern const int read_idmap[];
#ifdef CONFIG_HAVE_IMA_KEXEC
@@ -136,6 +140,7 @@ extern bool ima_canonical_fmt;
/* Internal IMA function definitions */
int ima_init(void);
int ima_fs_init(void);
+int ima_ns_init(void);
int ima_add_template_entry(struct ima_template_entry *entry, int violation,
const char *op, struct inode *inode,
const unsigned char *filename);
@@ -450,4 +455,9 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
#define POLICY_FILE_FLAGS S_IWUSR
#endif /* CONFIG_IMA_READ_POLICY */
+static inline struct ima_namespace *get_current_ns(void)
+{
+ return &init_ima_ns;
+}
+
#endif /* __LINUX_IMA_H */
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index b26fa67476b4..f6ae4557a0da 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -120,6 +120,10 @@ int __init ima_init(void)
{
int rc;
+ rc = ima_ns_init();
+ if (rc)
+ return rc;
+
ima_tpm_chip = tpm_default_chip();
if (!ima_tpm_chip)
pr_info("No TPM chip found, activating TPM-bypass!\n");
diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
new file mode 100644
index 000000000000..daa609892849
--- /dev/null
+++ b/security/integrity/ima/ima_init_ima_ns.c
@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2016-2021 IBM Corporation
+ * Author:
+ * Yuqiong Sun <suny at us.ibm.com>
+ * Stefan Berger <stefanb at linux.vnet.ibm.com>
+ */
+
+#include "ima.h"
+
+static int ima_init_namespace(struct ima_namespace *ns)
+{
+ return 0;
+}
+
+int __init ima_ns_init(void)
+{
+ return ima_init_namespace(&init_ima_ns);
+}
+
+struct ima_namespace init_ima_ns = {
+};
+EXPORT_SYMBOL(init_ima_ns);
--
2.31.1
More information about the Linux-security-module-archive
mailing list