On Fri, Jun 21, 2024 at 12:50 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Fri, Dec 15, 2023 at 5:16 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > > > Create real functions for the ima_filter_rule interfaces. > > These replace #defines that obscure the reuse of audit > > interfaces. The new functions are put in security.c because > > they use security module registered hooks that we don't > > want exported. > > > > Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> > > Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx> > > Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > > To: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > Cc: linux-integrity@xxxxxxxxxxxxxxx > > --- > > include/linux/security.h | 24 ++++++++++++++++++++++++ > > security/integrity/ima/ima.h | 26 -------------------------- > > security/security.c | 21 +++++++++++++++++++++ > > 3 files changed, 45 insertions(+), 26 deletions(-) > > Mimi, Roberto, are you both okay if I merge this into the lsm/dev > branch? The #define approach taken with the ima_filter_rule_XXX > macros likely contributed to the recent problem where the build > problem caused by the new gfp_t parameter was missed during review; > I'd like to get this into an upstream tree independent of the larger > stacking effort as I believe it has standalone value. ... and I just realized neither Mimi or Roberto were directly CC'd on that last email, oops. Fixed. > > diff --git a/include/linux/security.h b/include/linux/security.h > > index 750130a7b9dd..4790508818ee 100644 > > --- a/include/linux/security.h > > +++ b/include/linux/security.h > > @@ -2009,6 +2009,30 @@ static inline void security_audit_rule_free(void *lsmrule) > > #endif /* CONFIG_SECURITY */ > > #endif /* CONFIG_AUDIT */ > > > > +#if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) > > +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); > > +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); > > +void ima_filter_rule_free(void *lsmrule); > > + > > +#else > > + > > +static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, > > + void **lsmrule) > > +{ > > + return 0; > > +} > > + > > +static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, > > + void *lsmrule) > > +{ > > + return 0; > > +} > > + > > +static inline void ima_filter_rule_free(void *lsmrule) > > +{ } > > + > > +#endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */ > > + > > #ifdef CONFIG_SECURITYFS > > > > extern struct dentry *securityfs_create_file(const char *name, umode_t mode, > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > > index c29db699c996..560d6104de72 100644 > > --- a/security/integrity/ima/ima.h > > +++ b/security/integrity/ima/ima.h > > @@ -420,32 +420,6 @@ static inline void ima_free_modsig(struct modsig *modsig) > > } > > #endif /* CONFIG_IMA_APPRAISE_MODSIG */ > > > > -/* LSM based policy rules require audit */ > > -#ifdef CONFIG_IMA_LSM_RULES > > - > > -#define ima_filter_rule_init security_audit_rule_init > > -#define ima_filter_rule_free security_audit_rule_free > > -#define ima_filter_rule_match security_audit_rule_match > > - > > -#else > > - > > -static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, > > - void **lsmrule) > > -{ > > - return -EINVAL; > > -} > > - > > -static inline void ima_filter_rule_free(void *lsmrule) > > -{ > > -} > > - > > -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, > > - void *lsmrule) > > -{ > > - return -EINVAL; > > -} > > -#endif /* CONFIG_IMA_LSM_RULES */ > > - > > #ifdef CONFIG_IMA_READ_POLICY > > #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR) > > #else > > diff --git a/security/security.c b/security/security.c > > index d7b15ea67c3f..8e5379a76369 100644 > > --- a/security/security.c > > +++ b/security/security.c > > @@ -5350,6 +5350,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) > > } > > #endif /* CONFIG_AUDIT */ > > > > +#ifdef CONFIG_IMA_LSM_RULES > > +/* > > + * The integrity subsystem uses the same hooks as > > + * the audit subsystem. > > + */ > > +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) > > +{ > > + return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); > > +} > > + > > +void ima_filter_rule_free(void *lsmrule) > > +{ > > + call_void_hook(audit_rule_free, lsmrule); > > +} > > + > > +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) > > +{ > > + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); > > +} > > +#endif /* CONFIG_IMA_LSM_RULES */ > > + > > #ifdef CONFIG_BPF_SYSCALL > > /** > > * security_bpf() - Check if the bpf syscall operation is allowed > > -- > > 2.41.0 -- paul-moore.com