[Cc'ing the audit mailing list] On Mon, 2020-06-29 at 10:30 -0500, Tyler Hicks wrote: > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index ff2bf57ff0c7..5d62ee8319f4 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -419,24 +419,24 @@ static inline void ima_free_modsig(struct modsig *modsig) > /* LSM based policy rules require audit */ > #ifdef CONFIG_IMA_LSM_RULES > > -#define security_filter_rule_init security_audit_rule_init > -#define security_filter_rule_free security_audit_rule_free > -#define security_filter_rule_match security_audit_rule_match > +#define ima_audit_rule_init security_audit_rule_init > +#define ima_audit_rule_free security_audit_rule_free > +#define ima_audit_rule_match security_audit_rule_match Instead of defining an entirely new method of identifying files, IMA piggybacks on top of the existing audit rule syntax. IMA policy rules "filter" based on this information. IMA already audits security/integrity related events. Using the word "audit" here will make things even more confusing than they currently are. Renaming these functions as ima_audit_rule_XXX provides no benefit. At that point, IMA might as well call the security_audit_rule prefixed function names directly. As a quick fix, rename them as "ima_filter_rule". The correct solution would probably be to rename these prefixed "security_audit_rule" functions as "security_filter_rule", so that both the audit subsystem and IMA could use them. Mimi
