integrity: path_check update

- Add support in ima_path_check() for integrity checking without
incrementing the counts. (Required for nfsd.)
- rename and export opencount_get to ima_counts_get
- replace ima_shm_check calls with ima_counts_get
- export ima_path_check

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/fs/exec.c b/fs/exec.c
index 998e856c3079c10726b74431bb4146ab90f2e186..618d6d1e2c52fa3cfa606ecb4247e5d8cb4a5750 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -130,7 +130,8 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
                                 MAY_READ | MAY_EXEC | MAY_OPEN);
        if (error)
                goto exit;
-       error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN);
+       error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN,
+                              IMA_COUNT_UPDATE);
        if (error)
                goto exit;
 
@@ -680,7 +681,7 @@ struct file *open_exec(const char *name)
        err = inode_permission(nd.path.dentry->d_inode, MAY_EXEC | MAY_OPEN);
        if (err)
                goto out_path_put;
-       err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN);
+       err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN, IMA_COUNT_UPDATE);
        if (err)
                goto out_path_put;
 

diff --git a/fs/namei.c b/fs/namei.c
index 78f253cd2d4fec1795ae17d81648d1f59799c2ba..b05a2b1dea64a026d020e07ef6d5f80d2007a223 100644 (file)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -853,7 +853,8 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
                        err = inode_permission(nd->path.dentry->d_inode,
                                               MAY_EXEC);
                if (!err)
-                       err = ima_path_check(&nd->path, MAY_EXEC);
+                       err = ima_path_check(&nd->path, MAY_EXEC,
+                                            IMA_COUNT_UPDATE);
                if (err)
                        break;
 
@@ -1515,7 +1516,8 @@ int may_open(struct path *path, int acc_mode, int flag)
                return error;
 
        error = ima_path_check(path,
-                              acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
+                              acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC),
+                              IMA_COUNT_UPDATE);
        if (error)
                return error;
        /*

diff --git a/include/linux/ima.h b/include/linux/ima.h
index 0e2aa45cb0cefdfa3fc3727fe0a62926f1755172..b1b827d091a995e3d5b2e4a0d1e7f18e975e9319 100644 (file)
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -13,14 +13,17 @@
 #include <linux/fs.h>
 struct linux_binprm;
 
+#define IMA_COUNT_UPDATE 1
+#define IMA_COUNT_LEAVE 0
+
 #ifdef CONFIG_IMA
 extern int ima_bprm_check(struct linux_binprm *bprm);
 extern int ima_inode_alloc(struct inode *inode);
 extern void ima_inode_free(struct inode *inode);
-extern int ima_path_check(struct path *path, int mask);
+extern int ima_path_check(struct path *path, int mask, int update_counts);
 extern void ima_file_free(struct file *file);
 extern int ima_file_mmap(struct file *file, unsigned long prot);
-extern void ima_shm_check(struct file *file);
+extern void ima_counts_get(struct file *file);
 
 #else
 static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -38,7 +41,7 @@ static inline void ima_inode_free(struct inode *inode)
        return;
 }
 
-static inline int ima_path_check(struct path *path, int mask)
+static inline int ima_path_check(struct path *path, int mask, int update_counts)
 {
        return 0;
 }
@@ -53,7 +56,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
        return 0;
 }
 
-static inline void ima_shm_check(struct file *file)
+static inline void ima_counts_get(struct file *file)
 {
        return;
 }

diff --git a/ipc/shm.c b/ipc/shm.c
index faa46da99ebed7884ebb632f70ec7d79799d7f87..47b464229cd5910408440fee7d0ec575e79d00c9 100644 (file)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
        error = PTR_ERR(file);
        if (IS_ERR(file))
                goto no_file;
-       ima_shm_check(file);
+       ima_counts_get(file);
 
        id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
        if (id < 0) {
@@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr)
        file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations);
        if (!file)
                goto out_free;
-       ima_shm_check(file);
+       ima_counts_get(file);
 
        file->private_data = sfd;
        file->f_mapping = shp->shm_file->f_mapping;

diff --git a/mm/shmem.c b/mm/shmem.c
index b25f95ce3db76bb3e04658b3d6a0273729fbae55..a817f75f1441fd70d293af453bb34a5ed475f90a 100644 (file)
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2684,7 +2684,7 @@ int shmem_zero_setup(struct vm_area_struct *vma)
        if (IS_ERR(file))
                return PTR_ERR(file);
 
-       ima_shm_check(file);
+       ima_counts_get(file);
        if (vma->vm_file)
                fput(vma->vm_file);
        vma->vm_file = file;

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index c4228c0eb2d0f35a1f3029083bff3d82876aa281..a2eb23310eaf1c18cb7bcaf0eadf0ed4019126ab 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -125,6 +125,15 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
        return rc;
 }
 
+static void ima_update_counts(struct ima_iint_cache *iint, int mask)
+{
+       iint->opencount++;
+       if ((mask & MAY_WRITE) || (mask == 0))
+               iint->writecount++;
+       else if (mask & (MAY_READ | MAY_EXEC))
+               iint->readcount++;
+}
+
 /**
  * ima_path_check - based on policy, collect/store measurement.
  * @path: contains a pointer to the path to be measured
@@ -143,7 +152,7 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file,
  * Return 0 on success, an error code on failure.
  * (Based on the results of appraise_measurement().)
  */
-int ima_path_check(struct path *path, int mask)
+int ima_path_check(struct path *path, int mask, int update_counts)
 {
        struct inode *inode = path->dentry->d_inode;
        struct ima_iint_cache *iint;
@@ -157,11 +166,8 @@ int ima_path_check(struct path *path, int mask)
                return 0;
 
        mutex_lock(&iint->mutex);
-       iint->opencount++;
-       if ((mask & MAY_WRITE) || (mask == 0))
-               iint->writecount++;
-       else if (mask & (MAY_READ | MAY_EXEC))
-               iint->readcount++;
+       if (update_counts)
+               ima_update_counts(iint, mask);
 
        rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK);
        if (rc < 0)
@@ -197,6 +203,7 @@ out:
        kref_put(&iint->refcount, iint_free);
        return 0;
 }
+EXPORT_SYMBOL_GPL(ima_path_check);
 
 static int process_measurement(struct file *file, const unsigned char *filename,
                               int mask, int function)
@@ -225,7 +232,16 @@ out:
        return rc;
 }
 
-static void opencount_get(struct file *file)
+/*
+ * ima_opens_get - increment file counts
+ *
+ * - for IPC shm and shmat file.
+ * - for nfsd exported files.
+ *
+ * Increment the counts for these files to prevent unnecessary
+ * imbalance messages.
+ */
+void ima_counts_get(struct file *file)
 {
        struct inode *inode = file->f_dentry->d_inode;
        struct ima_iint_cache *iint;
@@ -237,8 +253,14 @@ static void opencount_get(struct file *file)
                return;
        mutex_lock(&iint->mutex);
        iint->opencount++;
+       if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+               iint->readcount++;
+
+       if (file->f_mode & FMODE_WRITE)
+               iint->writecount++;
        mutex_unlock(&iint->mutex);
 }
+EXPORT_SYMBOL_GPL(ima_counts_get);
 
 /**
  * ima_file_mmap - based on policy, collect/store measurement.
@@ -263,18 +285,6 @@ int ima_file_mmap(struct file *file, unsigned long prot)
        return 0;
 }
 
-/*
- * ima_shm_check - IPC shm and shmat create/fput a file
- *
- * Maintain the opencount for these files to prevent unnecessary
- * imbalance messages.
- */
-void ima_shm_check(struct file *file)
-{
-       opencount_get(file);
-       return;
-}
-
 /**
  * ima_bprm_check - based on policy, collect/store measurement.
  * @bprm: contains the linux_binprm structure