Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0c343af8 authored by Matthew Garrett's avatar Matthew Garrett Committed by Mimi Zohar
Browse files

integrity: Add an integrity directory in securityfs 



We want to add additional evm control nodes, and it'd be preferable not
to clutter up the securityfs root directory any further. Create a new
integrity directory, move the ima directory into it, create an evm
directory for the evm attribute and add compatibility symlinks.

Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent 4ecd9934

security/integrity/evm/evm_secfs.c

+24 −3
Original line number Original line Diff line number Diff line
@@ -19,7 +19,9 @@ 
#include <linux/module.h>

#include <linux/module.h>

#include "evm.h"

#include "evm.h"





static struct dentry *evm_dir;

static struct dentry *evm_init_tpm;

static struct dentry *evm_init_tpm;

static struct dentry *evm_symlink;





/**

/**

 * evm_read_key - read() for <securityfs>/evm

 * evm_read_key - read() for <securityfs>/evm
@@ -111,9 +113,28 @@ int __init evm_init_secfs(void) 
{

{

	int error = 0;

	int error = 0;





	evm_init_tpm = securityfs_create_file("evm", S_IRUSR | S_IRGRP,

	evm_dir = securityfs_create_dir("evm", integrity_dir);

					      NULL, NULL, &evm_key_ops);

	if (!evm_dir || IS_ERR(evm_dir))

	if (!evm_init_tpm || IS_ERR(evm_init_tpm))

		return -EFAULT;



	evm_init_tpm = securityfs_create_file("evm", 0660,

					      evm_dir, NULL, &evm_key_ops);

	if (!evm_init_tpm || IS_ERR(evm_init_tpm)) {

		error = -EFAULT;

		goto out;

	}



	evm_symlink = securityfs_create_symlink("evm", NULL,

						"integrity/evm/evm", NULL);

	if (!evm_symlink || IS_ERR(evm_symlink)) {

		error = -EFAULT;

		error = -EFAULT;

		goto out;

	}



	return 0;

out:

	securityfs_remove(evm_symlink);

	securityfs_remove(evm_init_tpm);

	securityfs_remove(evm_dir);

	return error;

	return error;

}
 
}

security/integrity/iint.c

+18 −0
Original line number Original line Diff line number Diff line
@@ -21,12 +21,15 @@ 
#include <linux/rbtree.h>

#include <linux/rbtree.h>

#include <linux/file.h>

#include <linux/file.h>

#include <linux/uaccess.h>

#include <linux/uaccess.h>

#include <linux/security.h>

#include "integrity.h"

#include "integrity.h"





static struct rb_root integrity_iint_tree = RB_ROOT;

static struct rb_root integrity_iint_tree = RB_ROOT;

static DEFINE_RWLOCK(integrity_iint_lock);

static DEFINE_RWLOCK(integrity_iint_lock);

static struct kmem_cache *iint_cache __read_mostly;

static struct kmem_cache *iint_cache __read_mostly;





struct dentry *integrity_dir;



/*

/*

 * __integrity_iint_find - return the iint associated with an inode

 * __integrity_iint_find - return the iint associated with an inode

 */

 */
@@ -211,3 +214,18 @@ void __init integrity_load_keys(void) 
	ima_load_x509();

	ima_load_x509();

	evm_load_x509();

	evm_load_x509();

}

}



static int __init integrity_fs_init(void)

{

	integrity_dir = securityfs_create_dir("integrity", NULL);

	if (IS_ERR(integrity_dir)) {

		pr_err("Unable to create integrity sysfs dir: %ld\n",

		       PTR_ERR(integrity_dir));

		integrity_dir = NULL;

		return PTR_ERR(integrity_dir);

	}



	return 0;

}



late_initcall(integrity_fs_init)

security/integrity/ima/ima_fs.c

+8 −1
Original line number Original line Diff line number Diff line
@@ -359,6 +359,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, 
}

}





static struct dentry *ima_dir;

static struct dentry *ima_dir;

static struct dentry *ima_symlink;

static struct dentry *binary_runtime_measurements;

static struct dentry *binary_runtime_measurements;

static struct dentry *ascii_runtime_measurements;

static struct dentry *ascii_runtime_measurements;

static struct dentry *runtime_measurements_count;

static struct dentry *runtime_measurements_count;
@@ -453,10 +454,15 @@ static const struct file_operations ima_measure_policy_ops = { 




int __init ima_fs_init(void)

int __init ima_fs_init(void)

{

{

	ima_dir = securityfs_create_dir("ima", NULL);

	ima_dir = securityfs_create_dir("ima", integrity_dir);

	if (IS_ERR(ima_dir))

	if (IS_ERR(ima_dir))

		return -1;

		return -1;





	ima_symlink = securityfs_create_symlink("ima", NULL, "integrity/ima",

						NULL);

	if (IS_ERR(ima_symlink))

		goto out;



	binary_runtime_measurements =

	binary_runtime_measurements =

	    securityfs_create_file("binary_runtime_measurements",

	    securityfs_create_file("binary_runtime_measurements",

				   S_IRUSR | S_IRGRP, ima_dir, NULL,

				   S_IRUSR | S_IRGRP, ima_dir, NULL,
@@ -496,6 +502,7 @@ int __init ima_fs_init(void) 
	securityfs_remove(runtime_measurements_count);

	securityfs_remove(runtime_measurements_count);

	securityfs_remove(ascii_runtime_measurements);

	securityfs_remove(ascii_runtime_measurements);

	securityfs_remove(binary_runtime_measurements);

	securityfs_remove(binary_runtime_measurements);

	securityfs_remove(ima_symlink);

	securityfs_remove(ima_dir);

	securityfs_remove(ima_dir);

	securityfs_remove(ima_policy);

	securityfs_remove(ima_policy);

	return -1;

	return -1;

security/integrity/integrity.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -143,6 +143,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, 
#define INTEGRITY_KEYRING_MODULE	2

#define INTEGRITY_KEYRING_MODULE	2

#define INTEGRITY_KEYRING_MAX		3

#define INTEGRITY_KEYRING_MAX		3





extern struct dentry *integrity_dir;



#ifdef CONFIG_INTEGRITY_SIGNATURE

#ifdef CONFIG_INTEGRITY_SIGNATURE





int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,

int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,