integrity: path_check update

- Add support in ima_path_check() for integrity checking without
incrementing the counts. (Required for nfsd.)
- rename and export opencount_get to ima_counts_get
- replace ima_shm_check calls with ima_counts_get
- export ima_path_check

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Mimi Zohar 2009-05-19 13:25:57 -04:00 committed by James Morris
parent 932995f0ce
commit b9fc745db8
6 changed files with 46 additions and 30 deletions

View File

@ -130,7 +130,8 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
MAY_READ | MAY_EXEC | MAY_OPEN); MAY_READ | MAY_EXEC | MAY_OPEN);
if (error) if (error)
goto exit; goto exit;
error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN); error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN,
IMA_COUNT_UPDATE);
if (error) if (error)
goto exit; goto exit;
@ -680,7 +681,7 @@ struct file *open_exec(const char *name)
err = inode_permission(nd.path.dentry->d_inode, MAY_EXEC | MAY_OPEN); err = inode_permission(nd.path.dentry->d_inode, MAY_EXEC | MAY_OPEN);
if (err) if (err)
goto out_path_put; goto out_path_put;
err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN); err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN, IMA_COUNT_UPDATE);
if (err) if (err)
goto out_path_put; goto out_path_put;

View File

@ -853,7 +853,8 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
err = inode_permission(nd->path.dentry->d_inode, err = inode_permission(nd->path.dentry->d_inode,
MAY_EXEC); MAY_EXEC);
if (!err) if (!err)
err = ima_path_check(&nd->path, MAY_EXEC); err = ima_path_check(&nd->path, MAY_EXEC,
IMA_COUNT_UPDATE);
if (err) if (err)
break; break;
@ -1515,7 +1516,8 @@ int may_open(struct path *path, int acc_mode, int flag)
return error; return error;
error = ima_path_check(path, error = ima_path_check(path,
acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC)); acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC),
IMA_COUNT_UPDATE);
if (error) if (error)
return error; return error;
/* /*

View File

@ -13,14 +13,17 @@
#include <linux/fs.h> #include <linux/fs.h>
struct linux_binprm; struct linux_binprm;
#define IMA_COUNT_UPDATE 1
#define IMA_COUNT_LEAVE 0
#ifdef CONFIG_IMA #ifdef CONFIG_IMA
extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_bprm_check(struct linux_binprm *bprm);
extern int ima_inode_alloc(struct inode *inode); extern int ima_inode_alloc(struct inode *inode);
extern void ima_inode_free(struct inode *inode); extern void ima_inode_free(struct inode *inode);
extern int ima_path_check(struct path *path, int mask); extern int ima_path_check(struct path *path, int mask, int update_counts);
extern void ima_file_free(struct file *file); extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long prot); extern int ima_file_mmap(struct file *file, unsigned long prot);
extern void ima_shm_check(struct file *file); extern void ima_counts_get(struct file *file);
#else #else
static inline int ima_bprm_check(struct linux_binprm *bprm) static inline int ima_bprm_check(struct linux_binprm *bprm)
@ -38,7 +41,7 @@ static inline void ima_inode_free(struct inode *inode)
return; return;
} }
static inline int ima_path_check(struct path *path, int mask) static inline int ima_path_check(struct path *path, int mask, int update_counts)
{ {
return 0; return 0;
} }
@ -53,7 +56,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
return 0; return 0;
} }
static inline void ima_shm_check(struct file *file) static inline void ima_counts_get(struct file *file)
{ {
return; return;
} }

View File

@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
error = PTR_ERR(file); error = PTR_ERR(file);
if (IS_ERR(file)) if (IS_ERR(file))
goto no_file; goto no_file;
ima_shm_check(file); ima_counts_get(file);
id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
if (id < 0) { if (id < 0) {
@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr)
file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations); file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations);
if (!file) if (!file)
goto out_free; goto out_free;
ima_shm_check(file); ima_counts_get(file);
file->private_data = sfd; file->private_data = sfd;
file->f_mapping = shp->shm_file->f_mapping; file->f_mapping = shp->shm_file->f_mapping;

View File

@ -2684,7 +2684,7 @@ int shmem_zero_setup(struct vm_area_struct *vma)
if (IS_ERR(file)) if (IS_ERR(file))
return PTR_ERR(file); return PTR_ERR(file);
ima_shm_check(file); ima_counts_get(file);
if (vma->vm_file) if (vma->vm_file)
fput(vma->vm_file); fput(vma->vm_file);
vma->vm_file = file; vma->vm_file = file;

View File

@ -125,6 +125,15 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
return rc; return rc;
} }
static void ima_update_counts(struct ima_iint_cache *iint, int mask)
{
iint->opencount++;
if ((mask & MAY_WRITE) || (mask == 0))
iint->writecount++;
else if (mask & (MAY_READ | MAY_EXEC))
iint->readcount++;
}
/** /**
* ima_path_check - based on policy, collect/store measurement. * ima_path_check - based on policy, collect/store measurement.
* @path: contains a pointer to the path to be measured * @path: contains a pointer to the path to be measured
@ -143,7 +152,7 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
* Return 0 on success, an error code on failure. * Return 0 on success, an error code on failure.
* (Based on the results of appraise_measurement().) * (Based on the results of appraise_measurement().)
*/ */
int ima_path_check(struct path *path, int mask) int ima_path_check(struct path *path, int mask, int update_counts)
{ {
struct inode *inode = path->dentry->d_inode; struct inode *inode = path->dentry->d_inode;
struct ima_iint_cache *iint; struct ima_iint_cache *iint;
@ -157,11 +166,8 @@ int ima_path_check(struct path *path, int mask)
return 0; return 0;
mutex_lock(&iint->mutex); mutex_lock(&iint->mutex);
iint->opencount++; if (update_counts)
if ((mask & MAY_WRITE) || (mask == 0)) ima_update_counts(iint, mask);
iint->writecount++;
else if (mask & (MAY_READ | MAY_EXEC))
iint->readcount++;
rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
if (rc < 0) if (rc < 0)
@ -197,6 +203,7 @@ out:
kref_put(&iint->refcount, iint_free); kref_put(&iint->refcount, iint_free);
return 0; return 0;
} }
EXPORT_SYMBOL_GPL(ima_path_check);
static int process_measurement(struct file *file, const unsigned char *filename, static int process_measurement(struct file *file, const unsigned char *filename,
int mask, int function) int mask, int function)
@ -225,7 +232,16 @@ out:
return rc; return rc;
} }
static void opencount_get(struct file *file) /*
* ima_opens_get - increment file counts
*
* - for IPC shm and shmat file.
* - for nfsd exported files.
*
* Increment the counts for these files to prevent unnecessary
* imbalance messages.
*/
void ima_counts_get(struct file *file)
{ {
struct inode *inode = file->f_dentry->d_inode; struct inode *inode = file->f_dentry->d_inode;
struct ima_iint_cache *iint; struct ima_iint_cache *iint;
@ -237,8 +253,14 @@ static void opencount_get(struct file *file)
return; return;
mutex_lock(&iint->mutex); mutex_lock(&iint->mutex);
iint->opencount++; iint->opencount++;
if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
iint->readcount++;
if (file->f_mode & FMODE_WRITE)
iint->writecount++;
mutex_unlock(&iint->mutex); mutex_unlock(&iint->mutex);
} }
EXPORT_SYMBOL_GPL(ima_counts_get);
/** /**
* ima_file_mmap - based on policy, collect/store measurement. * ima_file_mmap - based on policy, collect/store measurement.
@ -263,18 +285,6 @@ int ima_file_mmap(struct file *file, unsigned long prot)
return 0; return 0;
} }
/*
* ima_shm_check - IPC shm and shmat create/fput a file
*
* Maintain the opencount for these files to prevent unnecessary
* imbalance messages.
*/
void ima_shm_check(struct file *file)
{
opencount_get(file);
return;
}
/** /**
* ima_bprm_check - based on policy, collect/store measurement. * ima_bprm_check - based on policy, collect/store measurement.
* @bprm: contains the linux_binprm structure * @bprm: contains the linux_binprm structure