diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2009-02-04 09:06:57 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-02-06 09:05:30 +1100 |
commit | 6146f0d5e47ca4047ffded0fb79b6c25359b386c (patch) | |
tree | edd792e52ad56d4a5d3ac6caa8437d3283fc157e /fs/exec.c | |
parent | 659aaf2bb5496a425ba14036b5b5900f593e4484 (diff) | |
download | op-kernel-dev-6146f0d5e47ca4047ffded0fb79b6c25359b386c.zip op-kernel-dev-6146f0d5e47ca4047ffded0fb79b6c25359b386c.tar.gz |
integrity: IMA hooks
This patch replaces the generic integrity hooks, for which IMA registered
itself, with IMA integrity hooks in the appropriate places directly
in the fs directory.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'fs/exec.c')
-rw-r--r-- | fs/exec.c | 10 |
1 files changed, 10 insertions, 0 deletions
@@ -45,6 +45,7 @@ #include <linux/proc_fs.h> #include <linux/mount.h> #include <linux/security.h> +#include <linux/ima.h> #include <linux/syscalls.h> #include <linux/tsacct_kern.h> #include <linux/cn_proc.h> @@ -130,6 +131,9 @@ asmlinkage long sys_uselib(const char __user * library) error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN); if (error) goto exit; + error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN); + if (error) + goto exit; file = nameidata_to_filp(&nd, O_RDONLY|O_LARGEFILE); error = PTR_ERR(file); @@ -683,6 +687,9 @@ struct file *open_exec(const char *name) err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN); if (err) goto out_path_put; + err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN); + if (err) + goto out_path_put; file = nameidata_to_filp(&nd, O_RDONLY|O_LARGEFILE); if (IS_ERR(file)) @@ -1209,6 +1216,9 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) retval = security_bprm_check(bprm); if (retval) return retval; + retval = ima_bprm_check(bprm); + if (retval) + return retval; /* kernel module loader fixup */ /* so we don't try to load run modprobe in kernel space. */ |