diff options
| author | Linus Torvalds | 2020-01-28 18:52:09 -0800 |
|---|---|---|
| committer | Linus Torvalds | 2020-01-28 18:52:09 -0800 |
| commit | 73a0bff2058f2403c604371c325fec737ac2ac61 (patch) | |
| tree | b862ab7ec0b6bf155cc491ec34343ac1df25bfa9 /include | |
| parent | 2cf64d7cb20b04cf25e4ebffc37833298f1d4bde (diff) | |
| parent | d54e17b4066612d88c4ef3e5fb3115f12733763d (diff) | |
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull IMA updates from Mimi Zohar:
"Two new features - measuring certificates and querying IMA for a file
hash - and three bug fixes:
- Measuring certificates is like the rest of IMA, based on policy,
but requires loading a custom policy. Certificates loaded onto a
keyring, for example during early boot, before a custom policy has
been loaded, are queued and only processed after loading the custom
policy.
- IMA calculates and caches files hashes. Other kernel subsystems,
and possibly kernel modules, are interested in accessing these
cached file hashes.
The bug fixes prevent classifying a file short read (e.g. shutdown) as
an invalid file signature, add a missing blank when displaying the
securityfs policy rules containing LSM labels, and, lastly, fix the
handling of the IMA policy information for unknown LSM labels"
* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
IMA: Defined delayed workqueue to free the queued keys
IMA: Call workqueue functions to measure queued keys
IMA: Define workqueue for early boot key measurements
IMA: pre-allocate buffer to hold keyrings string
ima: ima/lsm policy rule loading logic bug fixes
ima: add the ability to query the cached hash of a given file
ima: Add a space after printing LSM rules for readability
IMA: fix measuring asymmetric keys Kconfig
IMA: Read keyrings= option from the IMA policy
IMA: Add support to limit measuring keys
KEYS: Call the IMA hook to measure keys
IMA: Define an IMA hook to measure keys
IMA: Add KEY_CHECK func to measure keys
IMA: Check IMA policy flag
ima: avoid appraise error for hash calc interrupt
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/ima.h | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h index 6d904754d858..1659217e9b60 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -23,6 +23,7 @@ extern int ima_read_file(struct file *file, enum kernel_read_file_id id); extern int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id id); extern void ima_post_path_mknod(struct dentry *dentry); +extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); extern void ima_kexec_cmdline(const void *buf, int size); #ifdef CONFIG_IMA_KEXEC @@ -91,6 +92,11 @@ static inline void ima_post_path_mknod(struct dentry *dentry) return; } +static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size) +{ + return -EOPNOTSUPP; +} + static inline void ima_kexec_cmdline(const void *buf, int size) {} #endif /* CONFIG_IMA */ @@ -101,6 +107,20 @@ static inline void ima_add_kexec_buffer(struct kimage *image) {} #endif +#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS +extern void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + const void *payload, size_t plen, + unsigned long flags, bool create); +#else +static inline void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + const void *payload, + size_t plen, + unsigned long flags, + bool create) {} +#endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct dentry *dentry); |