Linux-Security-Module Archive on lore.kernel.org
 help / Atom feed
* [PATCH 1/2] ima: fix build error redeclaration of enumerator
@ 2019-02-12 10:08 Anders Roxell
  2019-02-12 10:08 ` [PATCH 2/2] efi: " Anders Roxell
  2019-02-12 10:21 ` [PATCH 1/2] ima: " Andy Shevchenko
  0 siblings, 2 replies; 7+ messages in thread
From: Anders Roxell @ 2019-02-12 10:08 UTC (permalink / raw)
  To: zohar, dmitry.kasatkin, jmorris, serge, ard.biesheuvel, tglx, mingo, bp
  Cc: linux-integrity, linux-security-module, linux-kernel, x86,
	linux-efi, platform-driver-x86, Anders Roxell

Commit a893ea15d764 ("tpm: move tpm_chip definition to
include/linux/tpm.h") introduced a build error when both ima and efi is
enabled. What happens is that both headers (ima.h and efi.h) defines the
same 'NONE' constant, and it broke when they started getting included
from the same file.

In file included from ../security/integrity/ima/ima_fs.c:30:
../security/integrity/ima/ima.h:176:7: error: redeclaration of enumerator "NONE"
  hook(NONE)   \
       ^~~~
../security/integrity/ima/ima.h:188:34: note: in definition of macro "__ima_hook_enumify"
 #define __ima_hook_enumify(ENUM) ENUM,
                                  ^~~~
../security/integrity/ima/ima.h:191:2: note: in expansion of macro "__ima_hooks"
  __ima_hooks(__ima_hook_enumify)
  ^~~~~~~~~~~
In file included from ../arch/arm64/include/asm/acpi.h:15,
                 from ../include/acpi/acpi_io.h:7,
                 from ../include/linux/acpi.h:47,
                 from ../include/linux/tpm.h:26,
                 from ../security/integrity/ima/ima.h:25,
                 from ../security/integrity/ima/ima_fs.c:30:
../include/linux/efi.h:1723:2: note: previous definition of "NONE" was here
  NONE,
  ^~~~
make[4]: *** [../scripts/Makefile.build:277: security/integrity/ima/ima_fs.o] Error 1

Rework to prefix the ima enum with 'IMA_*'.

Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
---

We only need one of the two patches applied.

 security/integrity/ima/ima.h          |  24 +++---
 security/integrity/ima/ima_api.c      |   3 +-
 security/integrity/ima/ima_appraise.c |  40 +++++-----
 security/integrity/ima/ima_main.c     |  30 +++----
 security/integrity/ima/ima_policy.c   | 110 +++++++++++++-------------
 5 files changed, 104 insertions(+), 103 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index d213e835c498..89ceb61f279c 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -173,18 +173,18 @@ static inline unsigned long ima_hash_key(u8 *digest)
 }
 
 #define __ima_hooks(hook)		\
-	hook(NONE)			\
-	hook(FILE_CHECK)		\
-	hook(MMAP_CHECK)		\
-	hook(BPRM_CHECK)		\
-	hook(CREDS_CHECK)		\
-	hook(POST_SETATTR)		\
-	hook(MODULE_CHECK)		\
-	hook(FIRMWARE_CHECK)		\
-	hook(KEXEC_KERNEL_CHECK)	\
-	hook(KEXEC_INITRAMFS_CHECK)	\
-	hook(POLICY_CHECK)		\
-	hook(MAX_CHECK)
+	hook(IMA_NONE)			\
+	hook(IMA_FILE_CHECK)		\
+	hook(IMA_MMAP_CHECK)		\
+	hook(IMA_BPRM_CHECK)		\
+	hook(IMA_CREDS_CHECK)		\
+	hook(IMA_POST_SETATTR)		\
+	hook(IMA_MODULE_CHECK)		\
+	hook(IMA_FIRMWARE_CHECK)	\
+	hook(IMA_KEXEC_KERNEL_CHECK)	\
+	hook(IMA_KEXEC_INITRAMFS_CHECK)	\
+	hook(IMA_POLICY_CHECK)		\
+	hook(IMA_MAX_CHECK)
 #define __ima_hook_enumify(ENUM)	ENUM,
 
 enum ima_hooks {
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index c7505fb122d4..81e705423894 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -168,7 +168,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
  * The policy is defined in terms of keypairs:
  *		subj=, obj=, type=, func=, mask=, fsmagic=
  *	subj,obj, and type: are LSM specific.
- *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
+ *	func: IMA_FILE_CHECK | IMA_BPRM_CHECK | IMA_CREDS_CHECK \
+ *	      | IMA_MMAP_CHECK | IMA_MODULE_CHECK
  *	mask: contains the permission mask
  *	fsmagic: hex value
  *
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index a2baa85ea2f5..c527cf3f37d3 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -86,16 +86,16 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
 					   enum ima_hooks func)
 {
 	switch (func) {
-	case MMAP_CHECK:
+	case IMA_MMAP_CHECK:
 		return iint->ima_mmap_status;
-	case BPRM_CHECK:
+	case IMA_BPRM_CHECK:
 		return iint->ima_bprm_status;
-	case CREDS_CHECK:
+	case IMA_CREDS_CHECK:
 		return iint->ima_creds_status;
-	case FILE_CHECK:
-	case POST_SETATTR:
+	case IMA_FILE_CHECK:
+	case IMA_POST_SETATTR:
 		return iint->ima_file_status;
-	case MODULE_CHECK ... MAX_CHECK - 1:
+	case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1:
 	default:
 		return iint->ima_read_status;
 	}
@@ -106,19 +106,19 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
 				 enum integrity_status status)
 {
 	switch (func) {
-	case MMAP_CHECK:
+	case IMA_MMAP_CHECK:
 		iint->ima_mmap_status = status;
 		break;
-	case BPRM_CHECK:
+	case IMA_BPRM_CHECK:
 		iint->ima_bprm_status = status;
 		break;
-	case CREDS_CHECK:
+	case IMA_CREDS_CHECK:
 		iint->ima_creds_status = status;
-	case FILE_CHECK:
-	case POST_SETATTR:
+	case IMA_FILE_CHECK:
+	case IMA_POST_SETATTR:
 		iint->ima_file_status = status;
 		break;
-	case MODULE_CHECK ... MAX_CHECK - 1:
+	case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1:
 	default:
 		iint->ima_read_status = status;
 		break;
@@ -129,20 +129,20 @@ static void ima_cache_flags(struct integrity_iint_cache *iint,
 			     enum ima_hooks func)
 {
 	switch (func) {
-	case MMAP_CHECK:
+	case IMA_MMAP_CHECK:
 		iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
 		break;
-	case BPRM_CHECK:
+	case IMA_BPRM_CHECK:
 		iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
 		break;
-	case CREDS_CHECK:
+	case IMA_CREDS_CHECK:
 		iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
 		break;
-	case FILE_CHECK:
-	case POST_SETATTR:
+	case IMA_FILE_CHECK:
+	case IMA_POST_SETATTR:
 		iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
 		break;
-	case MODULE_CHECK ... MAX_CHECK - 1:
+	case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1:
 	default:
 		iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
 		break;
@@ -298,7 +298,7 @@ int ima_appraise_measurement(enum ima_hooks func,
 			break;
 		}
 		if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
-		    func == KEXEC_KERNEL_CHECK)
+		    func == IMA_KEXEC_KERNEL_CHECK)
 			rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM,
 						     (const char *)xattr_value,
 						     xattr_len,
@@ -400,7 +400,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
 	    || !(inode->i_opflags & IOP_XATTR))
 		return;
 
-	action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
+	action = ima_must_appraise(inode, MAY_ACCESS, IMA_POST_SETATTR);
 	if (!action)
 		__vfs_removexattr(dentry, XATTR_NAME_IMA);
 	iint = integrity_iint_find(inode);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 357edd140c09..1ddbe39cba8a 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -193,7 +193,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	 * Included is the appraise submask.
 	 */
 	action = ima_get_action(inode, cred, secid, mask, func, &pcr);
-	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
+	violation_check = ((func == IMA_FILE_CHECK || func == IMA_MMAP_CHECK) &&
 			   (ima_policy_flag & IMA_MEASURE));
 	if (!action && !violation_check)
 		return 0;
@@ -202,7 +202,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 
 	/*  Is the appraise rule hook specific?  */
 	if (action & IMA_FILE_APPRAISE)
-		func = FILE_CHECK;
+		func = IMA_FILE_CHECK;
 
 	inode_lock(inode);
 
@@ -340,7 +340,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
 	if (file && (prot & PROT_EXEC)) {
 		security_task_getsecid(current, &secid);
 		return process_measurement(file, current_cred(), secid, NULL,
-					   0, MAY_EXEC, MMAP_CHECK);
+					   0, MAY_EXEC, IMA_MMAP_CHECK);
 	}
 
 	return 0;
@@ -366,13 +366,13 @@ int ima_bprm_check(struct linux_binprm *bprm)
 
 	security_task_getsecid(current, &secid);
 	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
-				  MAY_EXEC, BPRM_CHECK);
+				  MAY_EXEC, IMA_BPRM_CHECK);
 	if (ret)
 		return ret;
 
 	security_cred_getsecid(bprm->cred, &secid);
 	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
-				   MAY_EXEC, CREDS_CHECK);
+				   MAY_EXEC, IMA_CREDS_CHECK);
 }
 
 /**
@@ -392,7 +392,7 @@ int ima_file_check(struct file *file, int mask)
 	security_task_getsecid(current, &secid);
 	return process_measurement(file, current_cred(), secid, NULL, 0,
 				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
-					   MAY_APPEND), FILE_CHECK);
+					   MAY_APPEND), IMA_FILE_CHECK);
 }
 EXPORT_SYMBOL_GPL(ima_file_check);
 
@@ -409,7 +409,7 @@ void ima_post_create_tmpfile(struct inode *inode)
 	struct integrity_iint_cache *iint;
 	int must_appraise;
 
-	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
+	must_appraise = ima_must_appraise(inode, MAY_ACCESS, IMA_FILE_CHECK);
 	if (!must_appraise)
 		return;
 
@@ -436,7 +436,7 @@ void ima_post_path_mknod(struct dentry *dentry)
 	struct inode *inode = dentry->d_inode;
 	int must_appraise;
 
-	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
+	must_appraise = ima_must_appraise(inode, MAY_ACCESS, IMA_FILE_CHECK);
 	if (!must_appraise)
 		return;
 
@@ -474,12 +474,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
 }
 
 static const int read_idmap[READING_MAX_ID] = {
-	[READING_FIRMWARE] = FIRMWARE_CHECK,
-	[READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK,
-	[READING_MODULE] = MODULE_CHECK,
-	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
-	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
-	[READING_POLICY] = POLICY_CHECK
+	[READING_FIRMWARE] = IMA_FIRMWARE_CHECK,
+	[READING_FIRMWARE_PREALLOC_BUFFER] = IMA_FIRMWARE_CHECK,
+	[READING_MODULE] = IMA_MODULE_CHECK,
+	[READING_KEXEC_IMAGE] = IMA_KEXEC_KERNEL_CHECK,
+	[READING_KEXEC_INITRAMFS] = IMA_KEXEC_INITRAMFS_CHECK,
+	[READING_POLICY] = IMA_POLICY_CHECK
 };
 
 /**
@@ -520,7 +520,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
 		return 0;
 	}
 
-	func = read_idmap[read_id] ?: FILE_CHECK;
+	func = read_idmap[read_id] ?: IMA_FILE_CHECK;
 	security_task_getsecid(current, &secid);
 	return process_measurement(file, current_cred(), secid, buf, size,
 				   MAY_READ, func);
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 26fa9d9723f6..1bd7b57b4503 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -112,31 +112,31 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
 };
 
 static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
-	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
+	{.action = MEASURE, .func = IMA_MMAP_CHECK, .mask = MAY_EXEC,
 	 .flags = IMA_FUNC | IMA_MASK},
-	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
+	{.action = MEASURE, .func = IMA_BPRM_CHECK, .mask = MAY_EXEC,
 	 .flags = IMA_FUNC | IMA_MASK},
-	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
+	{.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ,
 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
-	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
-	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
+	{.action = MEASURE, .func = IMA_MODULE_CHECK, .flags = IMA_FUNC},
+	{.action = MEASURE, .func = IMA_FIRMWARE_CHECK, .flags = IMA_FUNC},
 };
 
 static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
-	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
+	{.action = MEASURE, .func = IMA_MMAP_CHECK, .mask = MAY_EXEC,
 	 .flags = IMA_FUNC | IMA_MASK},
-	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
+	{.action = MEASURE, .func = IMA_BPRM_CHECK, .mask = MAY_EXEC,
 	 .flags = IMA_FUNC | IMA_MASK},
-	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
+	{.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ,
 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 	 .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
-	{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
+	{.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ,
 	 .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
 	 .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
-	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
-	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
-	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
+	{.action = MEASURE, .func = IMA_MODULE_CHECK, .flags = IMA_FUNC},
+	{.action = MEASURE, .func = IMA_FIRMWARE_CHECK, .flags = IMA_FUNC},
+	{.action = MEASURE, .func = IMA_POLICY_CHECK, .flags = IMA_FUNC},
 };
 
 static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
@@ -155,7 +155,7 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
 	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 #ifdef CONFIG_IMA_WRITE_POLICY
-	{.action = APPRAISE, .func = POLICY_CHECK,
+	{.action = APPRAISE, .func = IMA_POLICY_CHECK,
 	.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 #endif
 #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
@@ -170,31 +170,31 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
 
 static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS
-	{.action = APPRAISE, .func = MODULE_CHECK,
+	{.action = APPRAISE, .func = IMA_MODULE_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 #endif
 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
-	{.action = APPRAISE, .func = FIRMWARE_CHECK,
+	{.action = APPRAISE, .func = IMA_FIRMWARE_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 #endif
 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS
-	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
+	{.action = APPRAISE, .func = IMA_KEXEC_KERNEL_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 #endif
 #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS
-	{.action = APPRAISE, .func = POLICY_CHECK,
+	{.action = APPRAISE, .func = IMA_POLICY_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 #endif
 };
 
 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
-	{.action = APPRAISE, .func = MODULE_CHECK,
+	{.action = APPRAISE, .func = IMA_MODULE_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
-	{.action = APPRAISE, .func = FIRMWARE_CHECK,
+	{.action = APPRAISE, .func = IMA_FIRMWARE_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
-	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
+	{.action = APPRAISE, .func = IMA_KEXEC_KERNEL_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
-	{.action = APPRAISE, .func = POLICY_CHECK,
+	{.action = APPRAISE, .func = IMA_POLICY_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 };
 
@@ -292,13 +292,13 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 	int i;
 
 	if ((rule->flags & IMA_FUNC) &&
-	    (rule->func != func && func != POST_SETATTR))
+	    (rule->func != func && func != IMA_POST_SETATTR))
 		return false;
 	if ((rule->flags & IMA_MASK) &&
-	    (rule->mask != mask && func != POST_SETATTR))
+	    (rule->mask != mask && func != IMA_POST_SETATTR))
 		return false;
 	if ((rule->flags & IMA_INMASK) &&
-	    (!(rule->mask & mask) && func != POST_SETATTR))
+	    (!(rule->mask & mask) && func != IMA_POST_SETATTR))
 		return false;
 	if ((rule->flags & IMA_FSMAGIC)
 	    && rule->fsmagic != inode->i_sb->s_magic)
@@ -373,16 +373,16 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 		return IMA_FILE_APPRAISE;
 
 	switch (func) {
-	case MMAP_CHECK:
+	case IMA_MMAP_CHECK:
 		return IMA_MMAP_APPRAISE;
-	case BPRM_CHECK:
+	case IMA_BPRM_CHECK:
 		return IMA_BPRM_APPRAISE;
-	case CREDS_CHECK:
+	case IMA_CREDS_CHECK:
 		return IMA_CREDS_APPRAISE;
-	case FILE_CHECK:
-	case POST_SETATTR:
+	case IMA_FILE_CHECK:
+	case IMA_POST_SETATTR:
 		return IMA_FILE_APPRAISE;
-	case MODULE_CHECK ... MAX_CHECK - 1:
+	case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1:
 	default:
 		return IMA_READ_APPRAISE;
 	}
@@ -468,13 +468,13 @@ void ima_update_policy_flag(void)
 
 static int ima_appraise_flag(enum ima_hooks func)
 {
-	if (func == MODULE_CHECK)
+	if (func == IMA_MODULE_CHECK)
 		return IMA_APPRAISE_MODULES;
-	else if (func == FIRMWARE_CHECK)
+	else if (func == IMA_FIRMWARE_CHECK)
 		return IMA_APPRAISE_FIRMWARE;
-	else if (func == POLICY_CHECK)
+	else if (func == IMA_POLICY_CHECK)
 		return IMA_APPRAISE_POLICY;
-	else if (func == KEXEC_KERNEL_CHECK)
+	else if (func == IMA_KEXEC_KERNEL_CHECK)
 		return IMA_APPRAISE_KEXEC;
 	return 0;
 }
@@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count,
 		}
 		if (entries[i].action == APPRAISE)
 			temp_ima_appraise |= ima_appraise_flag(entries[i].func);
-		if (entries[i].func == POLICY_CHECK)
+		if (entries[i].func == IMA_POLICY_CHECK)
 			temp_ima_appraise |= IMA_APPRAISE_POLICY;
 	}
 }
@@ -845,30 +845,30 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 			if (entry->func)
 				result = -EINVAL;
 
-			if (strcmp(args[0].from, "FILE_CHECK") == 0)
-				entry->func = FILE_CHECK;
+			if (strcmp(args[0].from, "IMA_FILE_CHECK") == 0)
+				entry->func = IMA_FILE_CHECK;
 			/* PATH_CHECK is for backwards compat */
 			else if (strcmp(args[0].from, "PATH_CHECK") == 0)
-				entry->func = FILE_CHECK;
-			else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
-				entry->func = MODULE_CHECK;
-			else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
-				entry->func = FIRMWARE_CHECK;
+				entry->func = IMA_FILE_CHECK;
+			else if (strcmp(args[0].from, "IMA_MODULE_CHECK") == 0)
+				entry->func = IMA_MODULE_CHECK;
+			else if (strcmp(args[0].from, "IMA_FIRMWARE_CHECK") == 0)
+				entry->func = IMA_FIRMWARE_CHECK;
 			else if ((strcmp(args[0].from, "FILE_MMAP") == 0)
-				|| (strcmp(args[0].from, "MMAP_CHECK") == 0))
-				entry->func = MMAP_CHECK;
-			else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
-				entry->func = BPRM_CHECK;
-			else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
-				entry->func = CREDS_CHECK;
-			else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
+				|| (strcmp(args[0].from, "IMA_MMAP_CHECK") == 0))
+				entry->func = IMA_MMAP_CHECK;
+			else if (strcmp(args[0].from, "IMA_BPRM_CHECK") == 0)
+				entry->func = IMA_BPRM_CHECK;
+			else if (strcmp(args[0].from, "IMA_CREDS_CHECK") == 0)
+				entry->func = IMA_CREDS_CHECK;
+			else if (strcmp(args[0].from, "IMA_KEXEC_KERNEL_CHECK") ==
 				 0)
-				entry->func = KEXEC_KERNEL_CHECK;
-			else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
+				entry->func = IMA_KEXEC_KERNEL_CHECK;
+			else if (strcmp(args[0].from, "IMA_KEXEC_INITRAMFS_CHECK")
 				 == 0)
-				entry->func = KEXEC_INITRAMFS_CHECK;
-			else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
-				entry->func = POLICY_CHECK;
+				entry->func = IMA_KEXEC_INITRAMFS_CHECK;
+			else if (strcmp(args[0].from, "IMA_POLICY_CHECK") == 0)
+				entry->func = IMA_POLICY_CHECK;
 			else
 				result = -EINVAL;
 			if (!result)
@@ -1194,7 +1194,7 @@ void ima_policy_stop(struct seq_file *m, void *v)
  */
 static void policy_func_show(struct seq_file *m, enum ima_hooks func)
 {
-	if (func > 0 && func < MAX_CHECK)
+	if (func > 0 && func < IMA_MAX_CHECK)
 		seq_printf(m, "func=%s ", func_tokens[func]);
 	else
 		seq_printf(m, "func=%d ", func);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 2/2] efi: fix build error redeclaration of enumerator
  2019-02-12 10:08 [PATCH 1/2] ima: fix build error redeclaration of enumerator Anders Roxell
@ 2019-02-12 10:08 ` " Anders Roxell
  2019-02-12 10:11   ` Ard Biesheuvel
  2019-02-12 10:21 ` [PATCH 1/2] ima: " Andy Shevchenko
  1 sibling, 1 reply; 7+ messages in thread
From: Anders Roxell @ 2019-02-12 10:08 UTC (permalink / raw)
  To: zohar, dmitry.kasatkin, jmorris, serge, ard.biesheuvel, tglx, mingo, bp
  Cc: linux-integrity, linux-security-module, linux-kernel, x86,
	linux-efi, platform-driver-x86, Anders Roxell

Commit a893ea15d764 ("tpm: move tpm_chip definition to
include/linux/tpm.h") introduced a build error when both ima and efi is
enabled. What happens is that both headers (ima.h and efi.h) defines the
same 'NONE' constant, and it broke when they started getting included
from the same file.

In file included from ../security/integrity/ima/ima_fs.c:30:
../security/integrity/ima/ima.h:176:7: error: redeclaration of enumerator "NONE"
  hook(NONE)   \
       ^~~~
../security/integrity/ima/ima.h:188:34: note: in definition of macro "__ima_hook_enumify"
 #define __ima_hook_enumify(ENUM) ENUM,
                                  ^~~~
../security/integrity/ima/ima.h:191:2: note: in expansion of macro "__ima_hooks"
  __ima_hooks(__ima_hook_enumify)
  ^~~~~~~~~~~
In file included from ../arch/arm64/include/asm/acpi.h:15,
                 from ../include/acpi/acpi_io.h:7,
                 from ../include/linux/acpi.h:47,
                 from ../include/linux/tpm.h:26,
                 from ../security/integrity/ima/ima.h:25,
                 from ../security/integrity/ima/ima_fs.c:30:
../include/linux/efi.h:1723:2: note: previous definition of "NONE" was here
  NONE,
  ^~~~
make[4]: *** [../scripts/Makefile.build:277: security/integrity/ima/ima_fs.o] Error 1

Rework to prefix the efi enum with 'EFI_*'.

Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
---

We only need one of the two patches applied.

 arch/x86/platform/efi/quirks.c          |  2 +-
 drivers/firmware/efi/runtime-wrappers.c | 48 ++++++++++++-------------
 include/linux/efi.h                     | 26 +++++++-------
 3 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c
index 9ce85e605052..b7c0b04ee6ad 100644
--- a/arch/x86/platform/efi/quirks.c
+++ b/arch/x86/platform/efi/quirks.c
@@ -742,7 +742,7 @@ void efi_recover_from_page_fault(unsigned long phys_addr)
 	 * because this case occurs *very* rarely and hence could be improved
 	 * on a need by basis.
 	 */
-	if (efi_rts_work.efi_rts_id == RESET_SYSTEM) {
+	if (efi_rts_work.efi_rts_id == EFI_RESET_SYSTEM) {
 		pr_info("efi_reset_system() buggy! Reboot through BIOS\n");
 		machine_real_restart(MRR_BIOS);
 		return;
diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c
index c70df5ae7c4a..28138534643e 100644
--- a/drivers/firmware/efi/runtime-wrappers.c
+++ b/drivers/firmware/efi/runtime-wrappers.c
@@ -85,7 +85,7 @@ struct efi_runtime_work efi_rts_work;
 		pr_err("Failed to queue work to efi_rts_wq.\n");	\
 									\
 exit:									\
-	efi_rts_work.efi_rts_id = NONE;					\
+	efi_rts_work.efi_rts_id = EFI_NONE;				\
 	efi_rts_work.status;						\
 })
 
@@ -181,50 +181,50 @@ static void efi_call_rts(struct work_struct *work)
 	arg5 = efi_rts_work.arg5;
 
 	switch (efi_rts_work.efi_rts_id) {
-	case GET_TIME:
+	case EFI_GET_TIME:
 		status = efi_call_virt(get_time, (efi_time_t *)arg1,
 				       (efi_time_cap_t *)arg2);
 		break;
-	case SET_TIME:
+	case EFI_SET_TIME:
 		status = efi_call_virt(set_time, (efi_time_t *)arg1);
 		break;
-	case GET_WAKEUP_TIME:
+	case EFI_GET_WAKEUP_TIME:
 		status = efi_call_virt(get_wakeup_time, (efi_bool_t *)arg1,
 				       (efi_bool_t *)arg2, (efi_time_t *)arg3);
 		break;
-	case SET_WAKEUP_TIME:
+	case EFI_SET_WAKEUP_TIME:
 		status = efi_call_virt(set_wakeup_time, *(efi_bool_t *)arg1,
 				       (efi_time_t *)arg2);
 		break;
-	case GET_VARIABLE:
+	case EFI_GET_VARIABLE:
 		status = efi_call_virt(get_variable, (efi_char16_t *)arg1,
 				       (efi_guid_t *)arg2, (u32 *)arg3,
 				       (unsigned long *)arg4, (void *)arg5);
 		break;
-	case GET_NEXT_VARIABLE:
+	case EFI_GET_NEXT_VARIABLE:
 		status = efi_call_virt(get_next_variable, (unsigned long *)arg1,
 				       (efi_char16_t *)arg2,
 				       (efi_guid_t *)arg3);
 		break;
-	case SET_VARIABLE:
+	case EFI_SET_VARIABLE:
 		status = efi_call_virt(set_variable, (efi_char16_t *)arg1,
 				       (efi_guid_t *)arg2, *(u32 *)arg3,
 				       *(unsigned long *)arg4, (void *)arg5);
 		break;
-	case QUERY_VARIABLE_INFO:
+	case EFI_QUERY_VARIABLE_INFO:
 		status = efi_call_virt(query_variable_info, *(u32 *)arg1,
 				       (u64 *)arg2, (u64 *)arg3, (u64 *)arg4);
 		break;
-	case GET_NEXT_HIGH_MONO_COUNT:
+	case EFI_GET_NEXT_HIGH_MONO_COUNT:
 		status = efi_call_virt(get_next_high_mono_count, (u32 *)arg1);
 		break;
-	case UPDATE_CAPSULE:
+	case EFI_UPDATE_CAPSULE:
 		status = efi_call_virt(update_capsule,
 				       (efi_capsule_header_t **)arg1,
 				       *(unsigned long *)arg2,
 				       *(unsigned long *)arg3);
 		break;
-	case QUERY_CAPSULE_CAPS:
+	case EFI_QUERY_CAPSULE_CAPS:
 		status = efi_call_virt(query_capsule_caps,
 				       (efi_capsule_header_t **)arg1,
 				       *(unsigned long *)arg2, (u64 *)arg3,
@@ -248,7 +248,7 @@ static efi_status_t virt_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(GET_TIME, tm, tc, NULL, NULL, NULL);
+	status = efi_queue_work(EFI_GET_TIME, tm, tc, NULL, NULL, NULL);
 	up(&efi_runtime_lock);
 	return status;
 }
@@ -259,7 +259,7 @@ static efi_status_t virt_efi_set_time(efi_time_t *tm)
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(SET_TIME, tm, NULL, NULL, NULL, NULL);
+	status = efi_queue_work(EFI_SET_TIME, tm, NULL, NULL, NULL, NULL);
 	up(&efi_runtime_lock);
 	return status;
 }
@@ -272,7 +272,7 @@ static efi_status_t virt_efi_get_wakeup_time(efi_bool_t *enabled,
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(GET_WAKEUP_TIME, enabled, pending, tm, NULL,
+	status = efi_queue_work(EFI_GET_WAKEUP_TIME, enabled, pending, tm, NULL,
 				NULL);
 	up(&efi_runtime_lock);
 	return status;
@@ -284,7 +284,7 @@ static efi_status_t virt_efi_set_wakeup_time(efi_bool_t enabled, efi_time_t *tm)
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(SET_WAKEUP_TIME, &enabled, tm, NULL, NULL,
+	status = efi_queue_work(EFI_SET_WAKEUP_TIME, &enabled, tm, NULL, NULL,
 				NULL);
 	up(&efi_runtime_lock);
 	return status;
@@ -300,7 +300,7 @@ static efi_status_t virt_efi_get_variable(efi_char16_t *name,
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(GET_VARIABLE, name, vendor, attr, data_size,
+	status = efi_queue_work(EFI_GET_VARIABLE, name, vendor, attr, data_size,
 				data);
 	up(&efi_runtime_lock);
 	return status;
@@ -314,7 +314,7 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(GET_NEXT_VARIABLE, name_size, name, vendor,
+	status = efi_queue_work(EFI_GET_NEXT_VARIABLE, name_size, name, vendor,
 				NULL, NULL);
 	up(&efi_runtime_lock);
 	return status;
@@ -330,7 +330,7 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(SET_VARIABLE, name, vendor, &attr, &data_size,
+	status = efi_queue_work(EFI_SET_VARIABLE, name, vendor, &attr, &data_size,
 				data);
 	up(&efi_runtime_lock);
 	return status;
@@ -365,7 +365,7 @@ static efi_status_t virt_efi_query_variable_info(u32 attr,
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(QUERY_VARIABLE_INFO, &attr, storage_space,
+	status = efi_queue_work(EFI_QUERY_VARIABLE_INFO, &attr, storage_space,
 				remaining_space, max_variable_size, NULL);
 	up(&efi_runtime_lock);
 	return status;
@@ -397,7 +397,7 @@ static efi_status_t virt_efi_get_next_high_mono_count(u32 *count)
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(GET_NEXT_HIGH_MONO_COUNT, count, NULL, NULL,
+	status = efi_queue_work(EFI_GET_NEXT_HIGH_MONO_COUNT, count, NULL, NULL,
 				NULL, NULL);
 	up(&efi_runtime_lock);
 	return status;
@@ -413,7 +413,7 @@ static void virt_efi_reset_system(int reset_type,
 			"could not get exclusive access to the firmware\n");
 		return;
 	}
-	efi_rts_work.efi_rts_id = RESET_SYSTEM;
+	efi_rts_work.efi_rts_id = EFI_RESET_SYSTEM;
 	__efi_call_virt(reset_system, reset_type, status, data_size, data);
 	up(&efi_runtime_lock);
 }
@@ -429,7 +429,7 @@ static efi_status_t virt_efi_update_capsule(efi_capsule_header_t **capsules,
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(UPDATE_CAPSULE, capsules, &count, &sg_list,
+	status = efi_queue_work(EFI_UPDATE_CAPSULE, capsules, &count, &sg_list,
 				NULL, NULL);
 	up(&efi_runtime_lock);
 	return status;
@@ -447,7 +447,7 @@ static efi_status_t virt_efi_query_capsule_caps(efi_capsule_header_t **capsules,
 
 	if (down_interruptible(&efi_runtime_lock))
 		return EFI_ABORTED;
-	status = efi_queue_work(QUERY_CAPSULE_CAPS, capsules, &count,
+	status = efi_queue_work(EFI_QUERY_CAPSULE_CAPS, capsules, &count,
 				max_size, reset_type, NULL);
 	up(&efi_runtime_lock);
 	return status;
diff --git a/include/linux/efi.h b/include/linux/efi.h
index a4de93c96907..b3471b6ff92f 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1720,19 +1720,19 @@ extern int efi_tpm_eventlog_init(void);
  * fault happened while executing an efi runtime service.
  */
 enum efi_rts_ids {
-	NONE,
-	GET_TIME,
-	SET_TIME,
-	GET_WAKEUP_TIME,
-	SET_WAKEUP_TIME,
-	GET_VARIABLE,
-	GET_NEXT_VARIABLE,
-	SET_VARIABLE,
-	QUERY_VARIABLE_INFO,
-	GET_NEXT_HIGH_MONO_COUNT,
-	RESET_SYSTEM,
-	UPDATE_CAPSULE,
-	QUERY_CAPSULE_CAPS,
+	EFI_NONE,
+	EFI_GET_TIME,
+	EFI_SET_TIME,
+	EFI_GET_WAKEUP_TIME,
+	EFI_SET_WAKEUP_TIME,
+	EFI_GET_VARIABLE,
+	EFI_GET_NEXT_VARIABLE,
+	EFI_SET_VARIABLE,
+	EFI_QUERY_VARIABLE_INFO,
+	EFI_GET_NEXT_HIGH_MONO_COUNT,
+	EFI_RESET_SYSTEM,
+	EFI_UPDATE_CAPSULE,
+	EFI_QUERY_CAPSULE_CAPS,
 };
 
 /*
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 2/2] efi: fix build error redeclaration of enumerator
  2019-02-12 10:08 ` [PATCH 2/2] efi: " Anders Roxell
@ 2019-02-12 10:11   ` Ard Biesheuvel
  2019-02-12 10:19     ` Andy Shevchenko
  0 siblings, 1 reply; 7+ messages in thread
From: Ard Biesheuvel @ 2019-02-12 10:11 UTC (permalink / raw)
  To: Anders Roxell
  Cc: Mimi Zohar, dmitry.kasatkin, James Morris, Serge E. Hallyn,
	Thomas Gleixner, Ingo Molnar, Borislav Petkov, linux-integrity,
	linux-security-module, Linux Kernel Mailing List,
	the arch/x86 maintainers, linux-efi, platform-driver-x86

On Tue, 12 Feb 2019 at 11:09, Anders Roxell <anders.roxell@linaro.org> wrote:
>
> Commit a893ea15d764 ("tpm: move tpm_chip definition to
> include/linux/tpm.h") introduced a build error when both ima and efi is
> enabled. What happens is that both headers (ima.h and efi.h) defines the
> same 'NONE' constant, and it broke when they started getting included
> from the same file.
>
> In file included from ../security/integrity/ima/ima_fs.c:30:
> ../security/integrity/ima/ima.h:176:7: error: redeclaration of enumerator "NONE"
>   hook(NONE)   \
>        ^~~~
> ../security/integrity/ima/ima.h:188:34: note: in definition of macro "__ima_hook_enumify"
>  #define __ima_hook_enumify(ENUM) ENUM,
>                                   ^~~~
> ../security/integrity/ima/ima.h:191:2: note: in expansion of macro "__ima_hooks"
>   __ima_hooks(__ima_hook_enumify)
>   ^~~~~~~~~~~
> In file included from ../arch/arm64/include/asm/acpi.h:15,
>                  from ../include/acpi/acpi_io.h:7,
>                  from ../include/linux/acpi.h:47,
>                  from ../include/linux/tpm.h:26,
>                  from ../security/integrity/ima/ima.h:25,
>                  from ../security/integrity/ima/ima_fs.c:30:
> ../include/linux/efi.h:1723:2: note: previous definition of "NONE" was here
>   NONE,
>   ^~~~
> make[4]: *** [../scripts/Makefile.build:277: security/integrity/ima/ima_fs.o] Error 1
>
> Rework to prefix the efi enum with 'EFI_*'.
>
> Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
> ---
>
> We only need one of the two patches applied.

Thanks Anders.

I'd argue that we should apply both patches. 'NONE' is far too
generic, so it requires a subsystem prefix if it has a special meaning
inside a subsystem.

>
>  arch/x86/platform/efi/quirks.c          |  2 +-
>  drivers/firmware/efi/runtime-wrappers.c | 48 ++++++++++++-------------
>  include/linux/efi.h                     | 26 +++++++-------
>  3 files changed, 38 insertions(+), 38 deletions(-)
>
> diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c
> index 9ce85e605052..b7c0b04ee6ad 100644
> --- a/arch/x86/platform/efi/quirks.c
> +++ b/arch/x86/platform/efi/quirks.c
> @@ -742,7 +742,7 @@ void efi_recover_from_page_fault(unsigned long phys_addr)
>          * because this case occurs *very* rarely and hence could be improved
>          * on a need by basis.
>          */
> -       if (efi_rts_work.efi_rts_id == RESET_SYSTEM) {
> +       if (efi_rts_work.efi_rts_id == EFI_RESET_SYSTEM) {
>                 pr_info("efi_reset_system() buggy! Reboot through BIOS\n");
>                 machine_real_restart(MRR_BIOS);
>                 return;
> diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c
> index c70df5ae7c4a..28138534643e 100644
> --- a/drivers/firmware/efi/runtime-wrappers.c
> +++ b/drivers/firmware/efi/runtime-wrappers.c
> @@ -85,7 +85,7 @@ struct efi_runtime_work efi_rts_work;
>                 pr_err("Failed to queue work to efi_rts_wq.\n");        \
>                                                                         \
>  exit:                                                                  \
> -       efi_rts_work.efi_rts_id = NONE;                                 \
> +       efi_rts_work.efi_rts_id = EFI_NONE;                             \
>         efi_rts_work.status;                                            \
>  })
>
> @@ -181,50 +181,50 @@ static void efi_call_rts(struct work_struct *work)
>         arg5 = efi_rts_work.arg5;
>
>         switch (efi_rts_work.efi_rts_id) {
> -       case GET_TIME:
> +       case EFI_GET_TIME:
>                 status = efi_call_virt(get_time, (efi_time_t *)arg1,
>                                        (efi_time_cap_t *)arg2);
>                 break;
> -       case SET_TIME:
> +       case EFI_SET_TIME:
>                 status = efi_call_virt(set_time, (efi_time_t *)arg1);
>                 break;
> -       case GET_WAKEUP_TIME:
> +       case EFI_GET_WAKEUP_TIME:
>                 status = efi_call_virt(get_wakeup_time, (efi_bool_t *)arg1,
>                                        (efi_bool_t *)arg2, (efi_time_t *)arg3);
>                 break;
> -       case SET_WAKEUP_TIME:
> +       case EFI_SET_WAKEUP_TIME:
>                 status = efi_call_virt(set_wakeup_time, *(efi_bool_t *)arg1,
>                                        (efi_time_t *)arg2);
>                 break;
> -       case GET_VARIABLE:
> +       case EFI_GET_VARIABLE:
>                 status = efi_call_virt(get_variable, (efi_char16_t *)arg1,
>                                        (efi_guid_t *)arg2, (u32 *)arg3,
>                                        (unsigned long *)arg4, (void *)arg5);
>                 break;
> -       case GET_NEXT_VARIABLE:
> +       case EFI_GET_NEXT_VARIABLE:
>                 status = efi_call_virt(get_next_variable, (unsigned long *)arg1,
>                                        (efi_char16_t *)arg2,
>                                        (efi_guid_t *)arg3);
>                 break;
> -       case SET_VARIABLE:
> +       case EFI_SET_VARIABLE:
>                 status = efi_call_virt(set_variable, (efi_char16_t *)arg1,
>                                        (efi_guid_t *)arg2, *(u32 *)arg3,
>                                        *(unsigned long *)arg4, (void *)arg5);
>                 break;
> -       case QUERY_VARIABLE_INFO:
> +       case EFI_QUERY_VARIABLE_INFO:
>                 status = efi_call_virt(query_variable_info, *(u32 *)arg1,
>                                        (u64 *)arg2, (u64 *)arg3, (u64 *)arg4);
>                 break;
> -       case GET_NEXT_HIGH_MONO_COUNT:
> +       case EFI_GET_NEXT_HIGH_MONO_COUNT:
>                 status = efi_call_virt(get_next_high_mono_count, (u32 *)arg1);
>                 break;
> -       case UPDATE_CAPSULE:
> +       case EFI_UPDATE_CAPSULE:
>                 status = efi_call_virt(update_capsule,
>                                        (efi_capsule_header_t **)arg1,
>                                        *(unsigned long *)arg2,
>                                        *(unsigned long *)arg3);
>                 break;
> -       case QUERY_CAPSULE_CAPS:
> +       case EFI_QUERY_CAPSULE_CAPS:
>                 status = efi_call_virt(query_capsule_caps,
>                                        (efi_capsule_header_t **)arg1,
>                                        *(unsigned long *)arg2, (u64 *)arg3,
> @@ -248,7 +248,7 @@ static efi_status_t virt_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(GET_TIME, tm, tc, NULL, NULL, NULL);
> +       status = efi_queue_work(EFI_GET_TIME, tm, tc, NULL, NULL, NULL);
>         up(&efi_runtime_lock);
>         return status;
>  }
> @@ -259,7 +259,7 @@ static efi_status_t virt_efi_set_time(efi_time_t *tm)
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(SET_TIME, tm, NULL, NULL, NULL, NULL);
> +       status = efi_queue_work(EFI_SET_TIME, tm, NULL, NULL, NULL, NULL);
>         up(&efi_runtime_lock);
>         return status;
>  }
> @@ -272,7 +272,7 @@ static efi_status_t virt_efi_get_wakeup_time(efi_bool_t *enabled,
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(GET_WAKEUP_TIME, enabled, pending, tm, NULL,
> +       status = efi_queue_work(EFI_GET_WAKEUP_TIME, enabled, pending, tm, NULL,
>                                 NULL);
>         up(&efi_runtime_lock);
>         return status;
> @@ -284,7 +284,7 @@ static efi_status_t virt_efi_set_wakeup_time(efi_bool_t enabled, efi_time_t *tm)
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(SET_WAKEUP_TIME, &enabled, tm, NULL, NULL,
> +       status = efi_queue_work(EFI_SET_WAKEUP_TIME, &enabled, tm, NULL, NULL,
>                                 NULL);
>         up(&efi_runtime_lock);
>         return status;
> @@ -300,7 +300,7 @@ static efi_status_t virt_efi_get_variable(efi_char16_t *name,
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(GET_VARIABLE, name, vendor, attr, data_size,
> +       status = efi_queue_work(EFI_GET_VARIABLE, name, vendor, attr, data_size,
>                                 data);
>         up(&efi_runtime_lock);
>         return status;
> @@ -314,7 +314,7 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(GET_NEXT_VARIABLE, name_size, name, vendor,
> +       status = efi_queue_work(EFI_GET_NEXT_VARIABLE, name_size, name, vendor,
>                                 NULL, NULL);
>         up(&efi_runtime_lock);
>         return status;
> @@ -330,7 +330,7 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(SET_VARIABLE, name, vendor, &attr, &data_size,
> +       status = efi_queue_work(EFI_SET_VARIABLE, name, vendor, &attr, &data_size,
>                                 data);
>         up(&efi_runtime_lock);
>         return status;
> @@ -365,7 +365,7 @@ static efi_status_t virt_efi_query_variable_info(u32 attr,
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(QUERY_VARIABLE_INFO, &attr, storage_space,
> +       status = efi_queue_work(EFI_QUERY_VARIABLE_INFO, &attr, storage_space,
>                                 remaining_space, max_variable_size, NULL);
>         up(&efi_runtime_lock);
>         return status;
> @@ -397,7 +397,7 @@ static efi_status_t virt_efi_get_next_high_mono_count(u32 *count)
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(GET_NEXT_HIGH_MONO_COUNT, count, NULL, NULL,
> +       status = efi_queue_work(EFI_GET_NEXT_HIGH_MONO_COUNT, count, NULL, NULL,
>                                 NULL, NULL);
>         up(&efi_runtime_lock);
>         return status;
> @@ -413,7 +413,7 @@ static void virt_efi_reset_system(int reset_type,
>                         "could not get exclusive access to the firmware\n");
>                 return;
>         }
> -       efi_rts_work.efi_rts_id = RESET_SYSTEM;
> +       efi_rts_work.efi_rts_id = EFI_RESET_SYSTEM;
>         __efi_call_virt(reset_system, reset_type, status, data_size, data);
>         up(&efi_runtime_lock);
>  }
> @@ -429,7 +429,7 @@ static efi_status_t virt_efi_update_capsule(efi_capsule_header_t **capsules,
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(UPDATE_CAPSULE, capsules, &count, &sg_list,
> +       status = efi_queue_work(EFI_UPDATE_CAPSULE, capsules, &count, &sg_list,
>                                 NULL, NULL);
>         up(&efi_runtime_lock);
>         return status;
> @@ -447,7 +447,7 @@ static efi_status_t virt_efi_query_capsule_caps(efi_capsule_header_t **capsules,
>
>         if (down_interruptible(&efi_runtime_lock))
>                 return EFI_ABORTED;
> -       status = efi_queue_work(QUERY_CAPSULE_CAPS, capsules, &count,
> +       status = efi_queue_work(EFI_QUERY_CAPSULE_CAPS, capsules, &count,
>                                 max_size, reset_type, NULL);
>         up(&efi_runtime_lock);
>         return status;
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index a4de93c96907..b3471b6ff92f 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -1720,19 +1720,19 @@ extern int efi_tpm_eventlog_init(void);
>   * fault happened while executing an efi runtime service.
>   */
>  enum efi_rts_ids {
> -       NONE,
> -       GET_TIME,
> -       SET_TIME,
> -       GET_WAKEUP_TIME,
> -       SET_WAKEUP_TIME,
> -       GET_VARIABLE,
> -       GET_NEXT_VARIABLE,
> -       SET_VARIABLE,
> -       QUERY_VARIABLE_INFO,
> -       GET_NEXT_HIGH_MONO_COUNT,
> -       RESET_SYSTEM,
> -       UPDATE_CAPSULE,
> -       QUERY_CAPSULE_CAPS,
> +       EFI_NONE,
> +       EFI_GET_TIME,
> +       EFI_SET_TIME,
> +       EFI_GET_WAKEUP_TIME,
> +       EFI_SET_WAKEUP_TIME,
> +       EFI_GET_VARIABLE,
> +       EFI_GET_NEXT_VARIABLE,
> +       EFI_SET_VARIABLE,
> +       EFI_QUERY_VARIABLE_INFO,
> +       EFI_GET_NEXT_HIGH_MONO_COUNT,
> +       EFI_RESET_SYSTEM,
> +       EFI_UPDATE_CAPSULE,
> +       EFI_QUERY_CAPSULE_CAPS,
>  };
>
>  /*
> --
> 2.20.1
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 2/2] efi: fix build error redeclaration of enumerator
  2019-02-12 10:11   ` Ard Biesheuvel
@ 2019-02-12 10:19     ` Andy Shevchenko
  0 siblings, 0 replies; 7+ messages in thread
From: Andy Shevchenko @ 2019-02-12 10:19 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: Anders Roxell, Mimi Zohar, Dmitry Kasatkin, James Morris,
	Serge E. Hallyn, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	linux-integrity, linux-security-module,
	Linux Kernel Mailing List, the arch/x86 maintainers, linux-efi,
	Platform Driver

On Tue, Feb 12, 2019 at 12:16 PM Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
> On Tue, 12 Feb 2019 at 11:09, Anders Roxell <anders.roxell@linaro.org> wrote:
> >
> > Commit a893ea15d764 ("tpm: move tpm_chip definition to
> > include/linux/tpm.h") introduced a build error when both ima and efi is
> > enabled. What happens is that both headers (ima.h and efi.h) defines the
> > same 'NONE' constant, and it broke when they started getting included
> > from the same file.

> I'd argue that we should apply both patches. 'NONE' is far too
> generic, so it requires a subsystem prefix if it has a special meaning
> inside a subsystem.

I was about to say the same thing.

-- 
With Best Regards,
Andy Shevchenko

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] ima: fix build error redeclaration of enumerator
  2019-02-12 10:08 [PATCH 1/2] ima: fix build error redeclaration of enumerator Anders Roxell
  2019-02-12 10:08 ` [PATCH 2/2] efi: " Anders Roxell
@ 2019-02-12 10:21 ` " Andy Shevchenko
  2019-02-12 10:23   ` Andy Shevchenko
  1 sibling, 1 reply; 7+ messages in thread
From: Andy Shevchenko @ 2019-02-12 10:21 UTC (permalink / raw)
  To: Anders Roxell
  Cc: Mimi Zohar, Dmitry Kasatkin, James Morris, Serge E. Hallyn,
	Ard Biesheuvel, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	linux-integrity, linux-security-module,
	Linux Kernel Mailing List,
	maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	linux-efi, Platform Driver

On Tue, Feb 12, 2019 at 12:15 PM Anders Roxell <anders.roxell@linaro.org> wrote:
>
> Commit a893ea15d764 ("tpm: move tpm_chip definition to
> include/linux/tpm.h") introduced a build error when both ima and efi is
> enabled. What happens is that both headers (ima.h and efi.h) defines the
> same 'NONE' constant, and it broke when they started getting included
> from the same file.

> We only need one of the two patches applied.

I would argue that we need two patches applied. Namespace is a hidden
issue in the code.

This patch looks good to me, FWIW,
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>

-- 
With Best Regards,
Andy Shevchenko

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] ima: fix build error redeclaration of enumerator
  2019-02-12 10:21 ` [PATCH 1/2] ima: " Andy Shevchenko
@ 2019-02-12 10:23   ` Andy Shevchenko
  2019-02-12 11:00     ` Anders Roxell
  0 siblings, 1 reply; 7+ messages in thread
From: Andy Shevchenko @ 2019-02-12 10:23 UTC (permalink / raw)
  To: Anders Roxell
  Cc: Mimi Zohar, Dmitry Kasatkin, James Morris, Serge E. Hallyn,
	Ard Biesheuvel, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	linux-integrity, linux-security-module,
	Linux Kernel Mailing List,
	maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	linux-efi, Platform Driver

On Tue, Feb 12, 2019 at 12:21 PM Andy Shevchenko
<andy.shevchenko@gmail.com> wrote:
>
> On Tue, Feb 12, 2019 at 12:15 PM Anders Roxell <anders.roxell@linaro.org> wrote:
> >
> > Commit a893ea15d764 ("tpm: move tpm_chip definition to
> > include/linux/tpm.h") introduced a build error when both ima and efi is
> > enabled. What happens is that both headers (ima.h and efi.h) defines the
> > same 'NONE' constant, and it broke when they started getting included
> > from the same file.
>
> > We only need one of the two patches applied.
>
> I would argue that we need two patches applied. Namespace is a hidden
> issue in the code.
>
> This patch looks good to me, FWIW,
> Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>

Oh, did you change ABI? So, I have to say that enum changes are okay,
but ABI, if any, are not.

-- 
With Best Regards,
Andy Shevchenko

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] ima: fix build error redeclaration of enumerator
  2019-02-12 10:23   ` Andy Shevchenko
@ 2019-02-12 11:00     ` Anders Roxell
  0 siblings, 0 replies; 7+ messages in thread
From: Anders Roxell @ 2019-02-12 11:00 UTC (permalink / raw)
  To: Andy Shevchenko
  Cc: Mimi Zohar, Dmitry Kasatkin, James Morris, Serge E. Hallyn,
	Ard Biesheuvel, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	linux-integrity, linux-security-module,
	Linux Kernel Mailing List,
	maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	linux-efi, Platform Driver

On Tue, 12 Feb 2019 at 11:23, Andy Shevchenko <andy.shevchenko@gmail.com> wrote:
>
> On Tue, Feb 12, 2019 at 12:21 PM Andy Shevchenko
> <andy.shevchenko@gmail.com> wrote:
> >
> > On Tue, Feb 12, 2019 at 12:15 PM Anders Roxell <anders.roxell@linaro.org> wrote:
> > >
> > > Commit a893ea15d764 ("tpm: move tpm_chip definition to
> > > include/linux/tpm.h") introduced a build error when both ima and efi is
> > > enabled. What happens is that both headers (ima.h and efi.h) defines the
> > > same 'NONE' constant, and it broke when they started getting included
> > > from the same file.
> >
> > > We only need one of the two patches applied.
> >
> > I would argue that we need two patches applied. Namespace is a hidden
> > issue in the code.
> >
> > This patch looks good to me, FWIW,
> > Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
>
> Oh, did you change ABI? So, I have to say that enum changes are okay,
> but ABI, if any, are not.

urgh, thank you for the review. It looks like I changed a bit too much
in ima_parse_rule() =/
I'll send send out a v2 shortly.

Cheers,
Anders

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-12 10:08 [PATCH 1/2] ima: fix build error redeclaration of enumerator Anders Roxell
2019-02-12 10:08 ` [PATCH 2/2] efi: " Anders Roxell
2019-02-12 10:11   ` Ard Biesheuvel
2019-02-12 10:19     ` Andy Shevchenko
2019-02-12 10:21 ` [PATCH 1/2] ima: " Andy Shevchenko
2019-02-12 10:23   ` Andy Shevchenko
2019-02-12 11:00     ` Anders Roxell

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox