ima: add ima_inode_setxattr/removexattr function and calls (42c63330) · Commits · e / devices / android_kernel_teracube_emerald

include/linux/ima.h

+17 −0

Original line number	Diff line number	Diff line
		@@ -44,10 +44,27 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)

		#ifdef CONFIG_IMA_APPRAISE
		extern void ima_inode_post_setattr(struct dentry *dentry);
		extern int ima_inode_setxattr(struct dentry dentry, const char xattr_name,
		const void *xattr_value, size_t xattr_value_len);
		extern int ima_inode_removexattr(struct dentry dentry, const char xattr_name);
		#else
		static inline void ima_inode_post_setattr(struct dentry *dentry)
		{
		return;
		}

		static inline int ima_inode_setxattr(struct dentry *dentry,
		const char *xattr_name,
		const void *xattr_value,
		size_t xattr_value_len)
		{
		return 0;
		}

		static inline int ima_inode_removexattr(struct dentry *dentry,
		const char *xattr_name)
		{
		return 0;
		}
		#endif /* CONFIG_IMA_APPRAISE_H */
		#endif /* _LINUX_IMA_H */

+57 −0

Original line number	Diff line number	Diff line
		@@ -169,3 +169,60 @@ void ima_inode_post_setattr(struct dentry *dentry)
		rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA);
		return;
		}

		/*
		* ima_protect_xattr - protect 'security.ima'
		*
		* Ensure that not just anyone can modify or remove 'security.ima'.
		*/
		static int ima_protect_xattr(struct dentry dentry, const char xattr_name,
		const void *xattr_value, size_t xattr_value_len)
		{
		if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
		if (!capable(CAP_SYS_ADMIN))
		return -EPERM;
		return 1;
		}
		return 0;
		}

		static void ima_reset_appraise_flags(struct inode *inode)
		{
		struct integrity_iint_cache *iint;

		if (!ima_initialized \|\| !ima_appraise \|\| !S_ISREG(inode->i_mode))
		return;

		iint = integrity_iint_find(inode);
		if (!iint)
		return;

		iint->flags &= ~(IMA_COLLECTED \| IMA_APPRAISED \| IMA_MEASURED);
		return;
		}

		int ima_inode_setxattr(struct dentry dentry, const char xattr_name,
		const void *xattr_value, size_t xattr_value_len)
		{
		int result;

		result = ima_protect_xattr(dentry, xattr_name, xattr_value,
		xattr_value_len);
		if (result == 1) {
		ima_reset_appraise_flags(dentry->d_inode);
		result = 0;
		}
		return result;
		}

		int ima_inode_removexattr(struct dentry dentry, const char xattr_name)
		{
		int result;

		result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
		if (result == 1) {
		ima_reset_appraise_flags(dentry->d_inode);
		result = 0;
		}
		return result;
		}

+6 −0

Original line number	Diff line number	Diff line
		@@ -571,6 +571,9 @@ int security_inode_setxattr(struct dentry dentry, const char name,
		if (unlikely(IS_PRIVATE(dentry->d_inode)))
		return 0;
		ret = security_ops->inode_setxattr(dentry, name, value, size, flags);
		if (ret)
		return ret;
		ret = ima_inode_setxattr(dentry, name, value, size);
		if (ret)
		return ret;
		return evm_inode_setxattr(dentry, name, value, size);
		@@ -606,6 +609,9 @@ int security_inode_removexattr(struct dentry dentry, const char name)
		if (unlikely(IS_PRIVATE(dentry->d_inode)))
		return 0;
		ret = security_ops->inode_removexattr(dentry, name);
		if (ret)
		return ret;
		ret = ima_inode_removexattr(dentry, name);
		if (ret)
		return ret;
		return evm_inode_removexattr(dentry, name);