From a2c2c3a71c25627e4840795b3c269918d0e71b28 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Sun, 24 Feb 2013 23:42:36 -0500 Subject: ima: "remove enforce checking duplication" merge fix Commit "750943a ima: remove enforce checking duplication" combined the 'in IMA policy' and 'enforcing file integrity' checks. For the non-file, kernel module verification, a specific check for 'enforcing file integrity' was not added. This patch adds the check. Signed-off-by: Mimi Zohar Signed-off-by: James Morris diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 5127afc..5b14a09 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -284,7 +284,8 @@ int ima_module_check(struct file *file) { if (!file) { #ifndef CONFIG_MODULE_SIG_FORCE - if (ima_appraise & IMA_APPRAISE_MODULES) + if ((ima_appraise & IMA_APPRAISE_MODULES) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) return -EACCES; /* INTEGRITY_UNKNOWN */ #endif return 0; /* We rely on module signature checking */ -- cgit v0.10.2 From 446d64e3e1154806092ac27de198dff1225797d9 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Sun, 24 Feb 2013 23:42:37 -0500 Subject: block: fix part_pack_uuid() build error Commit "85865c1 ima: add policy support for file system uuid" introduced a CONFIG_BLOCK dependency. This patch defines a wrapper called blk_part_pack_uuid(), which returns -EINVAL, when CONFIG_BLOCK is not defined. security/integrity/ima/ima_policy.c:538:4: error: implicit declaration of function 'part_pack_uuid' [-Werror=implicit-function-declaration] Changelog v2: - Reference commit number in patch description Changelog v1: - rename ima_part_pack_uuid() to blk_part_pack_uuid() - resolve scripts/checkpatch.pl warnings Changelog v0: - fix UUID scripts/Lindent msgs Reported-by: Randy Dunlap Reported-by: David Rientjes Signed-off-by: Mimi Zohar Acked-by: David Rientjes Acked-by: Randy Dunlap Cc: Jens Axboe Signed-off-by: James Morris diff --git a/include/linux/genhd.h b/include/linux/genhd.h index 79b8bba..9f3c275 100644 --- a/include/linux/genhd.h +++ b/include/linux/genhd.h @@ -231,6 +231,12 @@ static inline void part_pack_uuid(const u8 *uuid_str, u8 *to) } } +static inline int blk_part_pack_uuid(const u8 *uuid_str, u8 *to) +{ + part_pack_uuid(uuid_str, to); + return 0; +} + static inline int disk_max_parts(struct gendisk *disk) { if (disk->flags & GENHD_FL_EXT_DEVT) @@ -718,6 +724,10 @@ static inline dev_t blk_lookup_devt(const char *name, int partno) return devt; } +static inline int blk_part_pack_uuid(const u8 *uuid_str, u8 *to) +{ + return -EINVAL; +} #endif /* CONFIG_BLOCK */ #endif /* _LINUX_GENHD_H */ diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index b27535a..399433a 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -176,7 +176,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, && rule->fsmagic != inode->i_sb->s_magic) return false; if ((rule->flags & IMA_FSUUID) && - memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid))) + memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid))) return false; if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) return false; @@ -530,14 +530,15 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) ima_log_string(ab, "fsuuid", args[0].from); if (memchr_inv(entry->fsuuid, 0x00, - sizeof(entry->fsuuid))) { + sizeof(entry->fsuuid))) { result = -EINVAL; break; } - part_pack_uuid(args[0].from, entry->fsuuid); - entry->flags |= IMA_FSUUID; - result = 0; + result = blk_part_pack_uuid(args[0].from, + entry->fsuuid); + if (!result) + entry->flags |= IMA_FSUUID; break; case Opt_uid: ima_log_string(ab, "uid", args[0].from); -- cgit v0.10.2