[PATCH v31 01/28] integrity: disassociate ima_filter_rule from security_audit_rule

(off-list ancestor, not in this archive)
[PATCH v31 00/28] LSM: Module stacking for AppArmor · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 01/28] integrity: disassociate ima_filter_rule from security_audit_rule · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 02/28] LSM: Infrastructure management of the sock security · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 03/28] LSM: Add the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 04/28] LSM: provide lsm name and id slot mappings · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 05/28] IMA: avoid label collisions with stacked LSMs · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 06/28] LSM: Use lsmblob in security_audit_rule_match · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 07/28] LSM: Use lsmblob in security_kernel_act_as · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 08/28] LSM: Use lsmblob in security_secctx_to_secid · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 09/28] LSM: Use lsmblob in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 10/28] LSM: Use lsmblob in security_ipc_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 11/28] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 12/28] LSM: Use lsmblob in security_inode_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 13/28] LSM: Use lsmblob in security_cred_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 14/28] LSM: Specify which LSM to display · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
Re: [PATCH v31 14/28] LSM: Specify which LSM to display · Christian Göttsche <hidden> · 2021-12-14
Re: [PATCH v31 14/28] LSM: Specify which LSM to display · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 15/28] LSM: Ensure the correct LSM context releaser · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 16/28] LSM: Use lsmcontext in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 17/28] LSM: Use lsmcontext in security_inode_getsecctx · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-13
[PATCH v31 18/28] LSM: security_secid_to_secctx in netlink netfilter · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 19/28] NET: Store LSM netlabel data in a lsmblob · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 20/28] binder: Pass LSM identifier for confirmation · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 21/28] LSM: Extend security_secid_to_secctx to include module selection · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 22/28] Audit: Keep multiple LSM data in audit_names · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 23/28] Audit: Create audit_stamp structure · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 24/28] Audit: Add framework for auxiliary records · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 25/28] Audit: Add record for multiple task security contexts · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 26/28] Audit: Add record for multiple object security contexts · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 27/28] LSM: Add /proc attr entry for full LSM context · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14
[PATCH v31 28/28] AppArmor: Remove the exclusive flag · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-14

Trailers: 1 Acked-by (1 maintainer)
Series revisions: v1 (2019-04-09) [diff vs current] → v1 (2019-04-09) [diff vs current] → v1 (2019-04-09) [diff vs current] → v1 (2019-05-31) [diff vs current] → v1 (2019-05-31) [diff vs current] → v1 (2019-06-02) [diff vs current] → v2 (2019-06-18) [diff vs current] → v3 (2019-06-21) [diff vs current] → v3 (2019-06-24) [diff vs current] → v4 (2019-06-26) [diff vs current] → v5 (2019-07-26) [diff vs current] → v7 (2019-08-07) [diff vs current] → v10 (2019-10-24) [diff vs current] → v10 (2019-11-13) [diff vs current] → v10 (2019-11-13) [diff vs current] → v11 (2019-11-13) [diff vs current] → v11 (2019-11-13) [diff vs current] → v11 (2019-11-13) [diff vs current] → v11 (2019-11-19) [diff vs current] → v11 (2019-11-27) [diff vs current] → v12 (2019-12-16) [diff vs current] → v12 (2019-12-16) [diff vs current] → v12 (2019-12-16) [diff vs current] → v12 (2019-12-24) [diff vs current] → v13 (2019-12-24) [diff vs current] → v14 (2020-01-24) [diff vs current] → v15 (2020-02-14) [diff vs current] → v15 (2020-04-06) [diff vs current] → v15 (2020-04-06) [diff vs current] → v15 (2020-04-06) [diff vs current] → v17 (2020-05-14) [diff vs current] → v18 (2020-07-09) [diff vs current] → v19 (2020-07-24) [diff vs current] → v20 (2020-08-26) [diff vs current] → v21 (2020-10-12) [diff vs current] → v22 (2020-11-04) [diff vs current] → v22 (2020-11-05) [diff vs current] → v22 (2020-11-20) [diff vs current] → v24 (2021-01-27) [diff vs current] → v25 (2021-03-09) [diff vs current] → v26 (2021-05-13) [diff vs current] → v27 (2021-06-11) [diff vs current] → v28 (2021-07-22) [diff vs current] → v28 (2021-07-22) [diff vs current] → v29 (2021-09-24) [diff vs current] → v30 (2021-11-24) [diff vs current] → v31 (2021-12-13) → v32 (2022-02-02) [diff vs current] → v33 (2022-03-10) [diff vs current] → v34 (2022-04-07) [diff vs current] → v34 (2022-04-15) [diff vs current] → v35 (2022-04-18) [diff vs current] → v36 (2022-06-09) [diff vs current] → v37 (2022-06-28) [diff vs current] → v38 (2022-09-27) [diff vs current]
Activity: Last reply 1622 days ago

From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2021-12-13 23:41:50
Also in: linux-security-module, selinux
Subsystem: extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

Create real functions for the ima_filter_rule interfaces.
These replace #defines that obscure the reuse of audit
interfaces. The new fuctions are put in security.c because
they use security module registered hooks that we don't
want exported.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/security.h     | 26 ++++++++++++++++++++++++++
 security/integrity/ima/ima.h | 26 --------------------------
 security/security.c          | 21 +++++++++++++++++++++
 3 files changed, 47 insertions(+), 26 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index bbf44a466832..71eac35bfa21 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h

@@ -1917,6 +1917,32 @@ static inline void security_audit_rule_free(void *lsmrule)
 #endif /* CONFIG_SECURITY */
 #endif /* CONFIG_AUDIT */
 
+#ifdef CONFIG_IMA_LSM_RULES
+#ifdef CONFIG_SECURITY
+int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
+int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
+void ima_filter_rule_free(void *lsmrule);
+
+#else
+
+static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
+					   void **lsmrule)
+{
+	return 0;
+}
+
+static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
+					    void *lsmrule)
+{
+	return 0;
+}
+
+static inline void ima_filter_rule_free(void *lsmrule)
+{ }
+
+#endif /* CONFIG_SECURITY */
+#endif /* CONFIG_IMA_LSM_RULES */
+
 #ifdef CONFIG_SECURITYFS
 
 extern struct dentry *securityfs_create_file(const char *name, umode_t mode,

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index be965a8715e4..1b5d70ac2dc9 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h

@@ -418,32 +418,6 @@ static inline void ima_free_modsig(struct modsig *modsig)
 }
 #endif /* CONFIG_IMA_APPRAISE_MODSIG */
 
-/* LSM based policy rules require audit */
-#ifdef CONFIG_IMA_LSM_RULES
-
-#define ima_filter_rule_init security_audit_rule_init
-#define ima_filter_rule_free security_audit_rule_free
-#define ima_filter_rule_match security_audit_rule_match
-
-#else
-
-static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
-				       void **lsmrule)
-{
-	return -EINVAL;
-}
-
-static inline void ima_filter_rule_free(void *lsmrule)
-{
-}
-
-static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
-					void *lsmrule)
-{
-	return -EINVAL;
-}
-#endif /* CONFIG_IMA_LSM_RULES */
-
 #ifdef	CONFIG_IMA_READ_POLICY
 #define	POLICY_FILE_FLAGS	(S_IWUSR | S_IRUSR)
 #else

diff --git a/security/security.c b/security/security.c
index c88167a414b4..063c9cbbcea6 100644
--- a/security/security.c
+++ b/security/security.c

@@ -2563,6 +2563,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
 }
 #endif /* CONFIG_AUDIT */
 
+#ifdef CONFIG_IMA_LSM_RULES
+/*
+ * The integrity subsystem uses the same hooks as
+ * the audit subsystem.
+ */
+int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
+{
+	return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
+}
+
+void ima_filter_rule_free(void *lsmrule)
+{
+	call_void_hook(audit_rule_free, lsmrule);
+}
+
+int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
+{
+	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
+}
+#endif /* CONFIG_IMA_LSM_RULES */
+
 #ifdef CONFIG_BPF_SYSCALL
 int security_bpf(int cmd, union bpf_attr *attr, unsigned int size)
 {

-- 
2.31.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help