tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UBUNTU: SAUCE: apparmor4.0.0 [01/90]: LSM stacking v39: integrity: disassociate ima_filter_rule from security_audit_rule

Browse Source 
BugLink: http://bugs.launchpad.net/bugs/2028253

Create real functions for the ima_filter_rule interfaces.
These replace #defines that obscure the reuse of audit
interfaces. The new functions are put in security.c because
they use security module registered hooks that we don't
want exported.

Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org
(cherry picked from commit ceac4ac3a986cd84c6b83ff962fbc4206e42bd99
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
This commit is contained in:
Casey Schaufler
2023-05-18 13:54:20 -07:00
committed by Paolo Pisati
parent 95dc0f6212
commit 4b2f41f91a
3 changed files with 45 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/linux/security.h
+24
View File
@@ -2023,6 +2023,30 @@ static inline void security_audit_rule_free(void *lsmrule)
#endif /* CONFIG_SECURITY */
#endif /* CONFIG_AUDIT */
#if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY)
int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
void ima_filter_rule_free(void *lsmrule);
#else
static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
void **lsmrule)
{
return 0;
}
static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
void *lsmrule)
{
return 0;
}
static inline void ima_filter_rule_free(void *lsmrule)
{ }
#endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */
#ifdef CONFIG_SECURITYFS
extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
security/integrity/ima/ima.h
-26
View File
@@ -420,32 +420,6 @@ static inline void ima_free_modsig(struct modsig *modsig)
}
#endif /* CONFIG_IMA_APPRAISE_MODSIG */
/* LSM based policy rules require audit */
#ifdef CONFIG_IMA_LSM_RULES
#define ima_filter_rule_init security_audit_rule_init
#define ima_filter_rule_free security_audit_rule_free
#define ima_filter_rule_match security_audit_rule_match
#else
static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
void **lsmrule)
{
return -EINVAL;
}
static inline void ima_filter_rule_free(void *lsmrule)
{
}
static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
void *lsmrule)
{
return -EINVAL;
}
#endif /* CONFIG_IMA_LSM_RULES */
#ifdef CONFIG_IMA_READ_POLICY
#define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR)
#else
security/security.c
+21
View File
@@ -5404,6 +5404,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
}
#endif /* CONFIG_AUDIT */
#ifdef CONFIG_IMA_LSM_RULES
/*
* The integrity subsystem uses the same hooks as
* the audit subsystem.
*/
int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
}
void ima_filter_rule_free(void *lsmrule)
{
call_void_hook(audit_rule_free, lsmrule);
}
int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
{
return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
}
#endif /* CONFIG_IMA_LSM_RULES */
#ifdef CONFIG_BPF_SYSCALL
/**
* security_bpf() - Check if the bpf syscall operation is allowed