Create real functions for the ima_filter_rule interfaces. These replace #defines that obscure the reuse of audit interfaces. The new fuctions are put in security.c because they use security module registered hooks that we don't want exported. Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> --- include/linux/security.h | 26 ++++++++++++++++++++++++++ security/integrity/ima/ima.h | 26 -------------------------- security/security.c | 21 +++++++++++++++++++++ 3 files changed, 47 insertions(+), 26 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 6d72772182c8..33e0f2e659df 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1909,6 +1909,32 @@ static inline void security_audit_rule_free(void *lsmrule) #endif /* CONFIG_SECURITY */ #endif /* CONFIG_AUDIT */ +#ifdef CONFIG_IMA_LSM_RULES +#ifdef CONFIG_SECURITY +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); +void ima_filter_rule_free(void *lsmrule); + +#else + +static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, + void **lsmrule) +{ + return 0; +} + +static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, + void *lsmrule) +{ + return 0; +} + +static inline void ima_filter_rule_free(void *lsmrule) +{ } + +#endif /* CONFIG_SECURITY */ +#endif /* CONFIG_IMA_LSM_RULES */ + #ifdef CONFIG_SECURITYFS extern struct dentry *securityfs_create_file(const char *name, umode_t mode, diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index be965a8715e4..1b5d70ac2dc9 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -418,32 +418,6 @@ static inline void ima_free_modsig(struct modsig *modsig) } #endif /* CONFIG_IMA_APPRAISE_MODSIG */ -/* LSM based policy rules require audit */ -#ifdef CONFIG_IMA_LSM_RULES - -#define ima_filter_rule_init security_audit_rule_init -#define ima_filter_rule_free security_audit_rule_free -#define ima_filter_rule_match security_audit_rule_match - -#else - -static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, - void **lsmrule) -{ - return -EINVAL; -} - -static inline void ima_filter_rule_free(void *lsmrule) -{ -} - -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, - void *lsmrule) -{ - return -EINVAL; -} -#endif /* CONFIG_IMA_LSM_RULES */ - #ifdef CONFIG_IMA_READ_POLICY #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR) #else diff --git a/security/security.c b/security/security.c index 22261d79f333..5208b21c8433 100644 --- a/security/security.c +++ b/security/security.c @@ -2566,6 +2566,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) } #endif /* CONFIG_AUDIT */ +#ifdef CONFIG_IMA_LSM_RULES +/* + * The integrity subsystem uses the same hooks as + * the audit subsystem. + */ +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +{ + return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); +} + +void ima_filter_rule_free(void *lsmrule) +{ + call_void_hook(audit_rule_free, lsmrule); +} + +int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) +{ + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); +} +#endif /* CONFIG_IMA_LSM_RULES */ + #ifdef CONFIG_BPF_SYSCALL int security_bpf(int cmd, union bpf_attr *attr, unsigned int size) { -- 2.31.1