[PATCH v39 01/42] integrity: disassociate ima_filter_rule from security_audit_rule
Mimi Zohar
zohar at linux.ibm.com
Fri Jun 21 20:23:41 UTC 2024
On Fri, 2024-06-21 at 15:07 -0400, Paul Moore wrote:
> On Fri, Jun 21, 2024 at 12:50 PM Paul Moore <paul at paul-moore.com> wrote:
> > On Fri, Dec 15, 2023 at 5:16 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> > > Create real functions for the ima_filter_rule interfaces.
> > > These replace #defines that obscure the reuse of audit
> > > interfaces. The new functions are put in security.c because
> > > they use security module registered hooks that we don't
> > > want exported.
> > >
> > > Acked-by: Paul Moore <paul at paul-moore.com>
> > > Reviewed-by: John Johansen <john.johansen at canonical.com>
> > > Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> > > To: Mimi Zohar <zohar at linux.ibm.com>
> > > Cc: linux-integrity at vger.kernel.org
> > > ---
> > > include/linux/security.h | 24 ++++++++++++++++++++++++
> > > security/integrity/ima/ima.h | 26 --------------------------
> > > security/security.c | 21 +++++++++++++++++++++
> > > 3 files changed, 45 insertions(+), 26 deletions(-)
> >
> > Mimi, Roberto, are you both okay if I merge this into the lsm/dev
> > branch? The #define approach taken with the ima_filter_rule_XXX
> > macros likely contributed to the recent problem where the build
> > problem caused by the new gfp_t parameter was missed during review;
> > I'd like to get this into an upstream tree independent of the larger
> > stacking effort as I believe it has standalone value.
>
> ... and I just realized neither Mimi or Roberto were directly CC'd on
> that last email, oops. Fixed.
Paul, I do see things posted on the linux-integrity mailing list pretty quickly.
Unfortunately, something came up midday and I'm just seeing this now. As for
Roberto, it's probably a time zone issue.
The patch looks ok, but I haven't had a chance to apply or test it. I'll look
at it over the weekend and get back to you.
Mimi
>
> > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > index 750130a7b9dd..4790508818ee 100644
> > > --- a/include/linux/security.h
> > > +++ b/include/linux/security.h
> > > @@ -2009,6 +2009,30 @@ static inline void security_audit_rule_free(void *lsmrule)
> > > #endif /* CONFIG_SECURITY */
> > > #endif /* CONFIG_AUDIT */
> > >
> > > +#if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY)
> > > +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
> > > +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
> > > +void ima_filter_rule_free(void *lsmrule);
> > > +
> > > +#else
> > > +
> > > +static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
> > > + void **lsmrule)
> > > +{
> > > + return 0;
> > > +}
> > > +
> > > +static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
> > > + void *lsmrule)
> > > +{
> > > + return 0;
> > > +}
> > > +
> > > +static inline void ima_filter_rule_free(void *lsmrule)
> > > +{ }
> > > +
> > > +#endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */
> > > +
> > > #ifdef CONFIG_SECURITYFS
> > >
> > > extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
> > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > > index c29db699c996..560d6104de72 100644
> > > --- a/security/integrity/ima/ima.h
> > > +++ b/security/integrity/ima/ima.h
> > > @@ -420,32 +420,6 @@ static inline void ima_free_modsig(struct modsig *modsig)
> > > }
> > > #endif /* CONFIG_IMA_APPRAISE_MODSIG */
> > >
> > > -/* LSM based policy rules require audit */
> > > -#ifdef CONFIG_IMA_LSM_RULES
> > > -
> > > -#define ima_filter_rule_init security_audit_rule_init
> > > -#define ima_filter_rule_free security_audit_rule_free
> > > -#define ima_filter_rule_match security_audit_rule_match
> > > -
> > > -#else
> > > -
> > > -static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
> > > - void **lsmrule)
> > > -{
> > > - return -EINVAL;
> > > -}
> > > -
> > > -static inline void ima_filter_rule_free(void *lsmrule)
> > > -{
> > > -}
> > > -
> > > -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
> > > - void *lsmrule)
> > > -{
> > > - return -EINVAL;
> > > -}
> > > -#endif /* CONFIG_IMA_LSM_RULES */
> > > -
> > > #ifdef CONFIG_IMA_READ_POLICY
> > > #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR)
> > > #else
> > > diff --git a/security/security.c b/security/security.c
> > > index d7b15ea67c3f..8e5379a76369 100644
> > > --- a/security/security.c
> > > +++ b/security/security.c
> > > @@ -5350,6 +5350,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
> > > }
> > > #endif /* CONFIG_AUDIT */
> > >
> > > +#ifdef CONFIG_IMA_LSM_RULES
> > > +/*
> > > + * The integrity subsystem uses the same hooks as
> > > + * the audit subsystem.
> > > + */
> > > +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
> > > +{
> > > + return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
> > > +}
> > > +
> > > +void ima_filter_rule_free(void *lsmrule)
> > > +{
> > > + call_void_hook(audit_rule_free, lsmrule);
> > > +}
> > > +
> > > +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
> > > +{
> > > + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
> > > +}
> > > +#endif /* CONFIG_IMA_LSM_RULES */
> > > +
> > > #ifdef CONFIG_BPF_SYSCALL
> > > /**
> > > * security_bpf() - Check if the bpf syscall operation is allowed
> > > --
> > > 2.41.0
More information about the Linux-security-module-archive
mailing list