From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: viro@zeniv.linux.org.uk, brauner@kernel.org,
chuck.lever@oracle.com, jlayton@kernel.org, neilb@suse.de,
kolga@netapp.com, Dai.Ngo@oracle.com, tom@talpey.com,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
dhowells@redhat.com, jarkko@kernel.org,
stephen.smalley.work@gmail.com, eparis@parisplace.org,
casey@schaufler-ca.com
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
selinux@vger.kernel.org, Roberto Sassu <roberto.sassu@huawei.com>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v2 04/25] ima: Align ima_file_mprotect() definition with LSM infrastructure
Date: Thu, 31 Aug 2023 12:41:15 +0200 [thread overview]
Message-ID: <20230831104136.903180-5-roberto.sassu@huaweicloud.com> (raw)
In-Reply-To: <20230831104136.903180-1-roberto.sassu@huaweicloud.com>
From: Roberto Sassu <roberto.sassu@huawei.com>
Change ima_file_mprotect() definition, so that it can be registered
as implementation of the file_mprotect hook.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
include/linux/ima.h | 5 +++--
security/integrity/ima/ima_main.c | 6 ++++--
security/security.c | 2 +-
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 893c3b98b4d0..56e72c0beb96 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -24,7 +24,8 @@ extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags);
-extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
+int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
+ unsigned long prot);
extern int ima_load_data(enum kernel_load_data_id id, bool contents);
extern int ima_post_load_data(char *buf, loff_t size,
enum kernel_load_data_id id, char *description);
@@ -88,7 +89,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long reqprot,
}
static inline int ima_file_mprotect(struct vm_area_struct *vma,
- unsigned long prot)
+ unsigned long reqprot, unsigned long prot)
{
return 0;
}
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 52e742d32f4b..e9e2a3ad25a1 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -441,7 +441,8 @@ int ima_file_mmap(struct file *file, unsigned long reqprot,
/**
* ima_file_mprotect - based on policy, limit mprotect change
* @vma: vm_area_struct protection is set to
- * @prot: contains the protection that will be applied by the kernel.
+ * @reqprot: protection requested by the application
+ * @prot: protection that will be applied by the kernel
*
* Files can be mmap'ed read/write and later changed to execute to circumvent
* IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore
@@ -451,7 +452,8 @@ int ima_file_mmap(struct file *file, unsigned long reqprot,
*
* On mprotect change success, return 0. On failure, return -EACESS.
*/
-int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
+int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
+ unsigned long prot)
{
struct ima_template_desc *template = NULL;
struct file *file;
diff --git a/security/security.c b/security/security.c
index 96f2c68a1571..dffb67e6e119 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2721,7 +2721,7 @@ int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot);
if (ret)
return ret;
- return ima_file_mprotect(vma, prot);
+ return ima_file_mprotect(vma, reqprot, prot);
}
/**
--
2.34.1
next prev parent reply other threads:[~2023-08-31 10:43 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-31 10:41 [PATCH v2 00/25] security: Move IMA and EVM to the LSM infrastructure Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 01/25] ima: Align ima_inode_post_setattr() definition with " Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 02/25] ima: Align ima_post_path_mknod() " Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 03/25] ima: Align ima_post_create_tmpfile() " Roberto Sassu
2023-08-31 10:41 ` Roberto Sassu [this message]
2023-08-31 10:41 ` [PATCH v2 05/25] ima: Align ima_inode_setxattr() " Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 06/25] ima: Align ima_inode_removexattr() " Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 07/25] ima: Align ima_post_read_file() " Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 08/25] evm: Align evm_inode_post_setattr() " Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 09/25] evm: Align evm_inode_setxattr() " Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 10/25] evm: Align evm_inode_post_setxattr() " Roberto Sassu
2023-08-31 10:41 ` [PATCH v2 11/25] security: Align inode_setattr hook definition with EVM Roberto Sassu
2023-09-04 21:08 ` Jarkko Sakkinen
2023-09-05 15:56 ` Casey Schaufler
2023-09-11 10:50 ` Jarkko Sakkinen
2023-08-31 10:41 ` [PATCH v2 12/25] security: Introduce inode_post_setattr hook Roberto Sassu
2023-08-31 22:28 ` Casey Schaufler
2023-09-04 21:09 ` Jarkko Sakkinen
2023-08-31 10:41 ` [PATCH v2 13/25] security: Introduce inode_post_removexattr hook Roberto Sassu
2023-08-31 22:30 ` Casey Schaufler
2023-09-04 21:11 ` Jarkko Sakkinen
2023-09-05 6:51 ` Roberto Sassu
2023-09-05 16:49 ` Mimi Zohar
2023-08-31 10:41 ` [PATCH v2 14/25] security: Introduce file_post_open hook Roberto Sassu
2023-08-31 22:33 ` Casey Schaufler
2023-08-31 10:41 ` [PATCH v2 15/25] security: Introduce file_pre_free_security hook Roberto Sassu
2023-08-31 22:34 ` Casey Schaufler
2023-08-31 10:41 ` [PATCH v2 16/25] security: Introduce path_post_mknod hook Roberto Sassu
2023-08-31 22:34 ` Casey Schaufler
2023-08-31 10:41 ` [PATCH v2 17/25] security: Introduce inode_post_create_tmpfile hook Roberto Sassu
2023-08-31 22:35 ` Casey Schaufler
2023-08-31 10:41 ` [PATCH v2 18/25] security: Introduce inode_post_set_acl hook Roberto Sassu
2023-08-31 22:36 ` Casey Schaufler
2023-08-31 10:41 ` [PATCH v2 19/25] security: Introduce inode_post_remove_acl hook Roberto Sassu
2023-08-31 22:36 ` Casey Schaufler
2023-08-31 11:37 ` [PATCH v2 20/25] security: Introduce key_post_create_or_update hook Roberto Sassu
2023-08-31 22:37 ` Casey Schaufler
2023-08-31 11:37 ` [PATCH v2 21/25] ima: Move to LSM infrastructure Roberto Sassu
2023-08-31 14:10 ` Chuck Lever
2023-08-31 22:42 ` Casey Schaufler
2023-08-31 11:38 ` [PATCH v2 22/25] ima: Move IMA-Appraisal " Roberto Sassu
2023-08-31 11:38 ` [PATCH v2 23/25] evm: Move " Roberto Sassu
2023-08-31 22:46 ` Casey Schaufler
2023-08-31 11:38 ` [PATCH v2 24/25] integrity: Move integrity functions to the " Roberto Sassu
2023-08-31 22:49 ` Casey Schaufler
2023-08-31 11:38 ` [PATCH v2 25/25] integrity: Switch from rbtree to LSM-managed blob for integrity_iint_cache Roberto Sassu
2023-08-31 23:05 ` Casey Schaufler
2023-08-31 23:01 ` [PATCH v2 00/25] security: Move IMA and EVM to the LSM infrastructure Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230831104136.903180-5-roberto.sassu@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=Dai.Ngo@oracle.com \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=chuck.lever@oracle.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eparis@parisplace.org \
--cc=jarkko@kernel.org \
--cc=jlayton@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=kolga@netapp.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=neilb@suse.de \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tom@talpey.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.