Merge branch 'next' of...

			Set number of hash buckets for inode cache.

			Set number of hash buckets for inode cache.

	ima_appraise=	[IMA] appraise integrity measurements

	ima_appraise=	[IMA] appraise integrity measurements

			Format: { "off" | "enforce" | "fix" }

			Format: { "off" | "enforce" | "fix" | "log" }

			default: "enforce"

			default: "enforce"

	ima_appraise_tcb [IMA]

	ima_appraise_tcb [IMA]

#define IMA_TEMPLATE_IMA_NAME "ima"

#define IMA_TEMPLATE_IMA_NAME "ima"

#define IMA_TEMPLATE_IMA_FMT "d|n"

#define IMA_TEMPLATE_IMA_FMT "d|n"

/* current content of the policy */

extern int ima_policy_flag;

/* set during initialization */

/* set during initialization */

extern int ima_initialized;

extern int ima_initialized;

extern int ima_used_chip;

extern int ima_used_chip;

		     int flags);

		     int flags);

void ima_init_policy(void);

void ima_init_policy(void);

void ima_update_policy(void);

void ima_update_policy(void);

void ima_update_policy_flag(void);

ssize_t ima_parse_add_rule(char *);

ssize_t ima_parse_add_rule(char *);

void ima_delete_rules(void);

void ima_delete_rules(void);

/* Appraise integrity measurements */

/* Appraise integrity measurements */

#define IMA_APPRAISE_ENFORCE	0x01

#define IMA_APPRAISE_ENFORCE	0x01

#define IMA_APPRAISE_FIX	0x02

#define IMA_APPRAISE_FIX	0x02

#define IMA_APPRAISE_MODULES	0x04

#define IMA_APPRAISE_LOG	0x04

#define IMA_APPRAISE_FIRMWARE	0x08

#define IMA_APPRAISE_MODULES	0x08

#define IMA_APPRAISE_FIRMWARE	0x10

#ifdef CONFIG_IMA_APPRAISE

#ifdef CONFIG_IMA_APPRAISE

int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,

int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,

	return ima_match_policy(inode, function, mask, flags);

	return ima_match_policy(inode, function, mask, flags);

}

}

int ima_must_measure(struct inode *inode, int mask, int function)

{

	return ima_match_policy(inode, function, mask, IMA_MEASURE);

}

/*

/*

 * ima_collect_measurement - collect file measurement

 * ima_collect_measurement - collect file measurement

 *

 *

{

{

	if (strncmp(str, "off", 3) == 0)

	if (strncmp(str, "off", 3) == 0)

		ima_appraise = 0;

		ima_appraise = 0;

	else if (strncmp(str, "log", 3) == 0)

		ima_appraise = IMA_APPRAISE_LOG;

	else if (strncmp(str, "fix", 3) == 0)

	else if (strncmp(str, "fix", 3) == 0)

		ima_appraise = IMA_APPRAISE_FIX;

		ima_appraise = IMA_APPRAISE_FIX;

	return 1;

	return 1;

	struct integrity_iint_cache *iint;

	struct integrity_iint_cache *iint;

	int must_appraise, rc;

	int must_appraise, rc;

	if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)

	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)

	    || !inode->i_op->removexattr)

	    || !inode->i_op->removexattr)

		return;

		return;

{

{

	struct integrity_iint_cache *iint;

	struct integrity_iint_cache *iint;

	if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode))

	if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode))

		return;

		return;

	iint = integrity_iint_find(inode);

	iint = integrity_iint_find(inode);

 * a different value.) Violations add a zero entry to the measurement

 * a different value.) Violations add a zero entry to the measurement

 * list and extend the aggregate PCR value with ff...ff's.

 * list and extend the aggregate PCR value with ff...ff's.

 */

 */

static void __init ima_add_boot_aggregate(void)

static int __init ima_add_boot_aggregate(void)

{

{

	static const char op[] = "add_boot_aggregate";

	static const char op[] = "add_boot_aggregate";

	const char *audit_cause = "ENOMEM";

	const char *audit_cause = "ENOMEM";

	result = ima_alloc_init_template(iint, NULL, boot_aggregate_name,

	result = ima_alloc_init_template(iint, NULL, boot_aggregate_name,

					 NULL, 0, &entry);

					 NULL, 0, &entry);

	if (result < 0)

	if (result < 0) {

		return;

		audit_cause = "alloc_entry";

		goto err_out;

	}

	result = ima_store_template(entry, violation, NULL,

	result = ima_store_template(entry, violation, NULL,

				    boot_aggregate_name);

				    boot_aggregate_name);

	if (result < 0)

	if (result < 0) {

		ima_free_template_entry(entry);

		ima_free_template_entry(entry);

	return;

		audit_cause = "store_entry";

		goto err_out;

	}

	return 0;

err_out:

err_out:

	integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op,

	integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op,

			    audit_cause, result, 0);

			    audit_cause, result, 0);

	return result;

}

}

int __init ima_init(void)

int __init ima_init(void)

	if (!ima_used_chip)

	if (!ima_used_chip)

		pr_info("No TPM chip found, activating TPM-bypass!\n");

		pr_info("No TPM chip found, activating TPM-bypass!\n");

	rc = ima_init_keyring(INTEGRITY_KEYRING_IMA);

	if (rc)

		return rc;

	rc = ima_init_crypto();

	rc = ima_init_crypto();

	if (rc)

	if (rc)

		return rc;

		return rc;

	if (rc != 0)

	if (rc != 0)

		return rc;

		return rc;

	ima_add_boot_aggregate();	/* boot aggregate must be first entry */

	rc = ima_add_boot_aggregate();	/* boot aggregate must be first entry */

	if (rc != 0)

		return rc;

	ima_init_policy();

	ima_init_policy();

	return ima_fs_init();

	return ima_fs_init();