Linux-Modules Archive on lore.kernel.org
 help / color / Atom feed
From: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
	"Luis R. Rodriguez" <mcgrof@suse.com>,
	kexec@lists.infradead.org, linux-modules@vger.kernel.org,
	fsdevel@vger.kernel.org, David Howells <dhowells@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Kees Cook <keescook@chromium.org>,
	Dmitry Torokhov <dmitry.torokhov@gmail.com>,
	Eric Biederman <ebiederm@xmission.com>,
	Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: [PATCH v3 03/22] ima: use "ima_hooks" enum as function argument
Date: Wed, 10 Feb 2016 21:35:30 +0200
Message-ID: <CACE9dm9Ho0ACUQ56bWTRmM8OFtK5rROX5=rVz1V1j4wSqyP21A@mail.gmail.com> (raw)
In-Reply-To: <1454526390-19792-4-git-send-email-zohar@linux.vnet.ibm.com>

On Wed, Feb 3, 2016 at 9:06 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> Cleanup the function arguments by using "ima_hooks" enumerator as needed.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>

> ---
>  security/integrity/ima/ima.h          | 25 +++++++++++++++++--------
>  security/integrity/ima/ima_api.c      |  6 +++---
>  security/integrity/ima/ima_appraise.c | 13 +++++++------
>  security/integrity/ima/ima_main.c     | 14 +++++++-------
>  security/integrity/ima/ima_policy.c   |  6 +++---
>  5 files changed, 37 insertions(+), 27 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index fb8da36..b7e7935 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -137,9 +137,18 @@ static inline unsigned long ima_hash_key(u8 *digest)
>         return hash_long(*digest, IMA_HASH_BITS);
>  }
>
> +enum ima_hooks {
> +       FILE_CHECK = 1,
> +       MMAP_CHECK,
> +       BPRM_CHECK,
> +       MODULE_CHECK,
> +       FIRMWARE_CHECK,
> +       POST_SETATTR
> +};
> +
>  /* LIM API function definitions */
> -int ima_get_action(struct inode *inode, int mask, int function);
> -int ima_must_measure(struct inode *inode, int mask, int function);
> +int ima_get_action(struct inode *inode, int mask, enum ima_hooks func);
> +int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
>  int ima_collect_measurement(struct integrity_iint_cache *iint,
>                             struct file *file, enum hash_algo algo);
>  void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
> @@ -156,8 +165,6 @@ void ima_free_template_entry(struct ima_template_entry *entry);
>  const char *ima_d_path(struct path *path, char **pathbuf);
>
>  /* IMA policy related functions */
> -enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK, FIRMWARE_CHECK, POST_SETATTR };
> -
>  int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
>                      int flags);
>  void ima_init_policy(void);
> @@ -179,21 +186,22 @@ int ima_policy_show(struct seq_file *m, void *v);
>  #define IMA_APPRAISE_FIRMWARE  0x10
>
>  #ifdef CONFIG_IMA_APPRAISE
> -int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
> +int ima_appraise_measurement(enum ima_hooks func,
> +                            struct integrity_iint_cache *iint,
>                              struct file *file, const unsigned char *filename,
>                              struct evm_ima_xattr_data *xattr_value,
>                              int xattr_len, int opened);
>  int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
>  void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
>  enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
> -                                          int func);
> +                                          enum ima_hooks func);
>  enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
>                                  int xattr_len);
>  int ima_read_xattr(struct dentry *dentry,
>                    struct evm_ima_xattr_data **xattr_value);
>
>  #else
> -static inline int ima_appraise_measurement(int func,
> +static inline int ima_appraise_measurement(enum ima_hooks func,
>                                            struct integrity_iint_cache *iint,
>                                            struct file *file,
>                                            const unsigned char *filename,
> @@ -215,7 +223,8 @@ static inline void ima_update_xattr(struct integrity_iint_cache *iint,
>  }
>
>  static inline enum integrity_status ima_get_cache_status(struct integrity_iint_cache
> -                                                        *iint, int func)
> +                                                        *iint,
> +                                                        enum ima_hooks func)
>  {
>         return INTEGRITY_UNKNOWN;
>  }
> diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> index e7c7a5d..8750254 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -156,7 +156,7 @@ err_out:
>   * ima_get_action - appraise & measure decision based on policy.
>   * @inode: pointer to inode to measure
>   * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
> - * @function: calling function (FILE_CHECK, BPRM_CHECK, MMAP_CHECK, MODULE_CHECK)
> + * @func: caller identifier
>   *
>   * The policy is defined in terms of keypairs:
>   *             subj=, obj=, type=, func=, mask=, fsmagic=
> @@ -168,13 +168,13 @@ err_out:
>   * Returns IMA_MEASURE, IMA_APPRAISE mask.
>   *
>   */
> -int ima_get_action(struct inode *inode, int mask, int function)
> +int ima_get_action(struct inode *inode, int mask, enum ima_hooks func)
>  {
>         int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
>
>         flags &= ima_policy_flag;
>
> -       return ima_match_policy(inode, function, mask, flags);
> +       return ima_match_policy(inode, func, mask, flags);
>  }
>
>  /*
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 9c2b46b..2888449 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -67,7 +67,7 @@ static int ima_fix_xattr(struct dentry *dentry,
>
>  /* Return specific func appraised cached result */
>  enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
> -                                          int func)
> +                                          enum ima_hooks func)
>  {
>         switch (func) {
>         case MMAP_CHECK:
> @@ -85,7 +85,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
>  }
>
>  static void ima_set_cache_status(struct integrity_iint_cache *iint,
> -                                int func, enum integrity_status status)
> +                                enum ima_hooks func,
> +                                enum integrity_status status)
>  {
>         switch (func) {
>         case MMAP_CHECK:
> @@ -103,11 +104,11 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
>         case FILE_CHECK:
>         default:
>                 iint->ima_file_status = status;
> -               break;
>         }
>  }
>
> -static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
> +static void ima_cache_flags(struct integrity_iint_cache *iint,
> +                            enum ima_hooks func)
>  {
>         switch (func) {
>         case MMAP_CHECK:
> @@ -125,7 +126,6 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
>         case FILE_CHECK:
>         default:
>                 iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
> -               break;
>         }
>  }
>
> @@ -185,7 +185,8 @@ int ima_read_xattr(struct dentry *dentry,
>   *
>   * Return 0 on success, error code otherwise
>   */
> -int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
> +int ima_appraise_measurement(enum ima_hooks func,
> +                            struct integrity_iint_cache *iint,
>                              struct file *file, const unsigned char *filename,
>                              struct evm_ima_xattr_data *xattr_value,
>                              int xattr_len, int opened)
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index d9fc463..78a80c8 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -153,8 +153,8 @@ void ima_file_free(struct file *file)
>         ima_check_last_writer(iint, inode, file);
>  }
>
> -static int process_measurement(struct file *file, int mask, int function,
> -                              int opened)
> +static int process_measurement(struct file *file, int mask,
> +                              enum ima_hooks func, int opened)
>  {
>         struct inode *inode = file_inode(file);
>         struct integrity_iint_cache *iint = NULL;
> @@ -174,8 +174,8 @@ static int process_measurement(struct file *file, int mask, int function,
>          * bitmask based on the appraise/audit/measurement policy.
>          * Included is the appraise submask.
>          */
> -       action = ima_get_action(inode, mask, function);
> -       violation_check = ((function == FILE_CHECK || function == MMAP_CHECK) &&
> +       action = ima_get_action(inode, mask, func);
> +       violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
>                            (ima_policy_flag & IMA_MEASURE));
>         if (!action && !violation_check)
>                 return 0;
> @@ -184,7 +184,7 @@ static int process_measurement(struct file *file, int mask, int function,
>
>         /*  Is the appraise rule hook specific?  */
>         if (action & IMA_FILE_APPRAISE)
> -               function = FILE_CHECK;
> +               func = FILE_CHECK;
>
>         mutex_lock(&inode->i_mutex);
>
> @@ -214,7 +214,7 @@ static int process_measurement(struct file *file, int mask, int function,
>         /* Nothing to do, just return existing appraised status */
>         if (!action) {
>                 if (must_appraise)
> -                       rc = ima_get_cache_status(iint, function);
> +                       rc = ima_get_cache_status(iint, func);
>                 goto out_digsig;
>         }
>
> @@ -240,7 +240,7 @@ static int process_measurement(struct file *file, int mask, int function,
>                 ima_store_measurement(iint, file, pathname,
>                                       xattr_value, xattr_len);
>         if (action & IMA_APPRAISE_SUBMASK)
> -               rc = ima_appraise_measurement(function, iint, file, pathname,
> +               rc = ima_appraise_measurement(func, iint, file, pathname,
>                                               xattr_value, xattr_len, opened);
>         if (action & IMA_AUDIT)
>                 ima_audit_measurement(iint, pathname);
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 43b6425..b089ebe 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -207,8 +207,8 @@ static void ima_lsm_update_rules(void)
>   *
>   * Returns true on rule match, false on failure.
>   */
> -static bool ima_match_rules(struct ima_rule_entry *rule,
> -                           struct inode *inode, enum ima_hooks func, int mask)
> +static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> +                           enum ima_hooks func, int mask)
>  {
>         struct task_struct *tsk = current;
>         const struct cred *cred = current_cred();
> @@ -289,7 +289,7 @@ retry:
>   * In addition to knowing that we need to appraise the file in general,
>   * we need to differentiate between calling hooks, for hook specific rules.
>   */
> -static int get_subaction(struct ima_rule_entry *rule, int func)
> +static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
>  {
>         if (!(rule->flags & IMA_FUNC))
>                 return IMA_FILE_APPRAISE;
> --
> 2.1.0
>



-- 
Thanks,
Dmitry

  parent reply index

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-03 19:06 [PATCH v3 00/22] vfs: support for a common kernel file loader Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 01/22] ima: separate 'security.ima' reading functionality from collect Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 02/22] ima: refactor ima_policy_show() to display "ima_hooks" rules Mimi Zohar
2016-02-07 19:45   ` Petko Manolov
2016-02-10 19:33   ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 03/22] ima: use "ima_hooks" enum as function argument Mimi Zohar
2016-02-07 19:46   ` Petko Manolov
2016-02-10 19:35   ` Dmitry Kasatkin [this message]
2016-02-03 19:06 ` [PATCH v3 04/22] firmware: simplify dev_*() print messages for generic helpers Mimi Zohar
2016-02-04 17:26   ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 05/22] firmware: move completing fw into a helper Mimi Zohar
2016-02-04 17:27   ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 06/22] firmware: fold successful fw read early Mimi Zohar
2016-02-04 17:36   ` Kees Cook
2016-02-04 20:26     ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 07/22] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-02-04 17:41   ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 08/22] vfs: define kernel_read_file_id enumeration Mimi Zohar
2016-02-04 17:41   ` Kees Cook
2016-02-04 19:45   ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 09/22] ima: provide buffer hash calculation function Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 10/22] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar
2016-02-10 19:58   ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 11/22] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar
2016-02-10 20:27   ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 12/22] vfs: define kernel_read_file_from_path Mimi Zohar
2016-02-04 17:46   ` Kees Cook
2016-02-04 19:47   ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 13/22] firmware: replace call to fw_read_file_contents() with kernel version Mimi Zohar
2016-02-04 17:56   ` Kees Cook
2016-02-04 19:51   ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 14/22] security: define kernel_read_file hook Mimi Zohar
2016-02-04 17:57   ` Kees Cook
2016-02-04 19:54   ` Luis R. Rodriguez
2016-02-11 16:54   ` Casey Schaufler
2016-02-11 19:35     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 15/22] vfs: define kernel_copy_file_from_fd() Mimi Zohar
2016-02-04 17:58   ` Kees Cook
2016-02-04 19:55   ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 16/22] module: replace copy_module_from_fd with kernel version Mimi Zohar
2016-02-04 18:04   ` Kees Cook
2016-02-04 19:56   ` Luis R. Rodriguez
2016-02-05  0:19     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 17/22] ima: remove firmware and module specific cached status info Mimi Zohar
2016-02-07 19:56   ` Petko Manolov
2016-02-10 20:18   ` Dmitry Kasatkin
2016-02-10 23:14     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 18/22] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar
2016-02-04 18:05   ` Kees Cook
2016-02-04 19:57   ` Luis R. Rodriguez
2016-02-12 12:50   ` Dave Young
2016-02-03 19:06 ` [PATCH v3 19/22] ima: support for kexec image and initramfs Mimi Zohar
2016-02-07 20:10   ` Petko Manolov
2016-02-08 23:34     ` Mimi Zohar
2016-02-10 21:09   ` Dmitry Kasatkin
2016-02-10 23:21     ` Mimi Zohar
     [not found]       ` <CACE9dm8OJ1cgbKszUG-pCiEMVarUFLLWi_jewVV-JEMGAJsA-g@mail.gmail.com>
2016-02-11  2:08         ` Mimi Zohar
2016-02-11  8:47           ` Dmitry Kasatkin
2016-02-11 12:16             ` Mimi Zohar
2016-02-12 12:53   ` Dave Young
2016-02-12 13:09     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 20/22] ima: load policy using path Mimi Zohar
2016-02-07 19:59   ` Petko Manolov
2016-02-08  9:58     ` Dmitry Kasatkin
2016-02-08 10:35       ` Petko Manolov
2016-02-08 10:45         ` Dmitry Kasatkin
2016-02-08 21:12           ` Mimi Zohar
2016-02-09  7:47             ` Petko Manolov
2016-02-03 19:06 ` [PATCH v3 21/22] ima: measure and appraise the IMA policy itself Mimi Zohar
2016-02-07 20:01   ` Petko Manolov
2016-02-10 20:22   ` Dmitry Kasatkin
2016-02-10 23:15     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 22/22] ima: require signed IMA policy Mimi Zohar
2016-02-07 20:02   ` Petko Manolov
2016-02-10 20:24   ` Dmitry Kasatkin
2016-02-04 18:15 ` [PATCH v3 00/22] vfs: support for a common kernel file loader Kees Cook
2016-02-04 23:54   ` Mimi Zohar

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACE9dm9Ho0ACUQ56bWTRmM8OFtK5rROX5=rVz1V1j4wSqyP21A@mail.gmail.com' \
    --to=dmitry.kasatkin@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=dmitry.torokhov@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiederm@xmission.com \
    --cc=fsdevel@vger.kernel.org \
    --cc=keescook@chromium.org \
    --cc=kexec@lists.infradead.org \
    --cc=linux-modules@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@suse.com \
    --cc=rusty@rustcorp.com.au \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Modules Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-modules/0 linux-modules/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-modules linux-modules/ https://lore.kernel.org/linux-modules \
		linux-modules@vger.kernel.org linux-modules@archiver.kernel.org
	public-inbox-index linux-modules

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-modules


AGPL code for this site: git clone https://public-inbox.org/ public-inbox