Re: [PATCH v39 01/42] integrity: disassociate ima_filter_rule from security_audit_rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2024-06-21 at 15:07 -0400, Paul Moore wrote:
> On Fri, Jun 21, 2024 at 12:50 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > On Fri, Dec 15, 2023 at 5:16 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> > > Create real functions for the ima_filter_rule interfaces.
> > > These replace #defines that obscure the reuse of audit
> > > interfaces. The new functions are put in security.c because
> > > they use security module registered hooks that we don't
> > > want exported.
> > > 
> > > Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> > > Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
> > > Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> > > To: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> > > Cc: linux-integrity@xxxxxxxxxxxxxxx
> > > ---
> > >  include/linux/security.h     | 24 ++++++++++++++++++++++++
> > >  security/integrity/ima/ima.h | 26 --------------------------
> > >  security/security.c          | 21 +++++++++++++++++++++
> > >  3 files changed, 45 insertions(+), 26 deletions(-)
> > 
> > Mimi, Roberto, are you both okay if I merge this into the lsm/dev
> > branch?  The #define approach taken with the ima_filter_rule_XXX
> > macros likely contributed to the recent problem where the build
> > problem caused by the new gfp_t parameter was missed during review;
> > I'd like to get this into an upstream tree independent of the larger
> > stacking effort as I believe it has standalone value.
> 
> ... and I just realized neither Mimi or Roberto were directly CC'd on
> that last email, oops.  Fixed.

Paul, I do see things posted on the linux-integrity mailing list pretty quickly.
Unfortunately, something came up midday and I'm just seeing this now.  As for
Roberto, it's probably a time zone issue.

The patch looks ok, but I haven't had a chance to apply or test it.  I'll look
at it over the weekend and get back to you.

Mimi

> 
> > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > index 750130a7b9dd..4790508818ee 100644
> > > --- a/include/linux/security.h
> > > +++ b/include/linux/security.h
> > > @@ -2009,6 +2009,30 @@ static inline void security_audit_rule_free(void *lsmrule)
> > >  #endif /* CONFIG_SECURITY */
> > >  #endif /* CONFIG_AUDIT */
> > > 
> > > +#if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY)
> > > +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
> > > +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
> > > +void ima_filter_rule_free(void *lsmrule);
> > > +
> > > +#else
> > > +
> > > +static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
> > > +                                          void **lsmrule)
> > > +{
> > > +       return 0;
> > > +}
> > > +
> > > +static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
> > > +                                           void *lsmrule)
> > > +{
> > > +       return 0;
> > > +}
> > > +
> > > +static inline void ima_filter_rule_free(void *lsmrule)
> > > +{ }
> > > +
> > > +#endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */
> > > +
> > >  #ifdef CONFIG_SECURITYFS
> > > 
> > >  extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
> > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > > index c29db699c996..560d6104de72 100644
> > > --- a/security/integrity/ima/ima.h
> > > +++ b/security/integrity/ima/ima.h
> > > @@ -420,32 +420,6 @@ static inline void ima_free_modsig(struct modsig *modsig)
> > >  }
> > >  #endif /* CONFIG_IMA_APPRAISE_MODSIG */
> > > 
> > > -/* LSM based policy rules require audit */
> > > -#ifdef CONFIG_IMA_LSM_RULES
> > > -
> > > -#define ima_filter_rule_init security_audit_rule_init
> > > -#define ima_filter_rule_free security_audit_rule_free
> > > -#define ima_filter_rule_match security_audit_rule_match
> > > -
> > > -#else
> > > -
> > > -static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
> > > -                                      void **lsmrule)
> > > -{
> > > -       return -EINVAL;
> > > -}
> > > -
> > > -static inline void ima_filter_rule_free(void *lsmrule)
> > > -{
> > > -}
> > > -
> > > -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
> > > -                                       void *lsmrule)
> > > -{
> > > -       return -EINVAL;
> > > -}
> > > -#endif /* CONFIG_IMA_LSM_RULES */
> > > -
> > >  #ifdef CONFIG_IMA_READ_POLICY
> > >  #define        POLICY_FILE_FLAGS       (S_IWUSR | S_IRUSR)
> > >  #else
> > > diff --git a/security/security.c b/security/security.c
> > > index d7b15ea67c3f..8e5379a76369 100644
> > > --- a/security/security.c
> > > +++ b/security/security.c
> > > @@ -5350,6 +5350,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
> > >  }
> > >  #endif /* CONFIG_AUDIT */
> > > 
> > > +#ifdef CONFIG_IMA_LSM_RULES
> > > +/*
> > > + * The integrity subsystem uses the same hooks as
> > > + * the audit subsystem.
> > > + */
> > > +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
> > > +{
> > > +       return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
> > > +}
> > > +
> > > +void ima_filter_rule_free(void *lsmrule)
> > > +{
> > > +       call_void_hook(audit_rule_free, lsmrule);
> > > +}
> > > +
> > > +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
> > > +{
> > > +       return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
> > > +}
> > > +#endif /* CONFIG_IMA_LSM_RULES */
> > > +
> > >  #ifdef CONFIG_BPF_SYSCALL
> > >  /**
> > >   * security_bpf() - Check if the bpf syscall operation is allowed
> > > --
> > > 2.41.0





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux