On Fri, 2023-12-15 at 14:15 -0800, Casey Schaufler wrote: > Create real functions for the ima_filter_rule interfaces. > These replace #defines that obscure the reuse of audit > interfaces. The new functions are put in security.c because > they use security module registered hooks that we don't > want exported. > > Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> > Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx> > Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > To: Mimi Zohar <zohar@xxxxxxxxxxxxx> > Cc: linux-integrity@xxxxxxxxxxxxxxx > --- > include/linux/security.h | 24 ++++++++++++++++++++++++ > security/integrity/ima/ima.h | 26 -------------------------- > security/security.c | 21 +++++++++++++++++++++ > 3 files changed, 45 insertions(+), 26 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index 750130a7b9dd..4790508818ee 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -2009,6 +2009,30 @@ static inline void security_audit_rule_free(void *lsmrule) > #endif /* CONFIG_SECURITY */ > #endif /* CONFIG_AUDIT */ > > +#if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) > +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); > +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); > +void ima_filter_rule_free(void *lsmrule); > + > +#else > + > +static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, > + void **lsmrule) > +{ > + return 0; > +} > + > +static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, > + void *lsmrule) > +{ > + return 0; > +} > + scripts/checkpatch.pl complains about the formatting of "void *lsmrule". > +static inline void ima_filter_rule_free(void *lsmrule) > +{ } > + > +#endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */ > + > #ifdef CONFIG_SECURITYFS > > extern struct dentry *securityfs_create_file(const char *name, umode_t mode, > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index c29db699c996..560d6104de72 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -420,32 +420,6 @@ static inline void ima_free_modsig(struct modsig *modsig) > } > #endif /* CONFIG_IMA_APPRAISE_MODSIG */ > > -/* LSM based policy rules require audit */ > -#ifdef CONFIG_IMA_LSM_RULES > - > -#define ima_filter_rule_init security_audit_rule_init > -#define ima_filter_rule_free security_audit_rule_free > -#define ima_filter_rule_match security_audit_rule_match > - > -#else > - > -static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, > - void **lsmrule) > -{ > - return -EINVAL; > -} > - > -static inline void ima_filter_rule_free(void *lsmrule) > -{ > -} > - > -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, > - void *lsmrule) > -{ > - return -EINVAL; > -} > -#endif /* CONFIG_IMA_LSM_RULES */ > - > #ifdef CONFIG_IMA_READ_POLICY > #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR) > #else > diff --git a/security/security.c b/security/security.c > index d7b15ea67c3f..8e5379a76369 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -5350,6 +5350,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) > } > #endif /* CONFIG_AUDIT */ > > +#ifdef CONFIG_IMA_LSM_RULES > +/* > + * The integrity subsystem uses the same hooks as > + * the audit subsystem. - No reason for the comment to be split. - Please note that these calls are limited to IMA, not the integrity subsystem in general. > + */ > +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) > +{ > + return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); > +} > + > +void ima_filter_rule_free(void *lsmrule) > +{ > + call_void_hook(audit_rule_free, lsmrule); > +} > + > +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) > +{ > + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); > +} > +#endif /* CONFIG_IMA_LSM_RULES */ In terms of function naming, refer to thread with Roberto's response. > + > #ifdef CONFIG_BPF_SYSCALL > /** > * security_bpf() - Check if the bpf syscall operation is allowed