From patchwork Tue Feb 12 10:08:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anders Roxell X-Patchwork-Id: 158134 Delivered-To: patch@linaro.org Received: by 2002:a02:48:0:0:0:0:0 with SMTP id 69csp3643378jaa; Tue, 12 Feb 2019 02:09:02 -0800 (PST) X-Google-Smtp-Source: AHgI3IYittoyVN19lkJnauUfQxV3R/h4PpmKnbFua8w8Kf4OOHmCeKSh6vk1R55SfxYy4FzELC/k X-Received: by 2002:a17:902:5a5:: with SMTP id f34mr3203923plf.161.1549966142205; Tue, 12 Feb 2019 02:09:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549966142; cv=none; d=google.com; s=arc-20160816; b=ZoOCM5gh105Gq02wKRdIkUi62i36hD/Hd/g5yxYf0NEoaSaRd3BUOtqsJ0d2AtbiXT NPUKD1Mh0HE5POsIqcoGKvHFouaoJj8PX2Tt6JQspu5GsUhJACzr/08vEpmb+DePntGp AdPwCnXQTpPDEvNjev080hDqdlgzZawI4AJiODXBnlNlmH4x48m0ZAkaqQnZVl+cUS/V d5jmrGnTxDhIvCKDUg33gBnNy+JMv4eucXtEvkG8bIzsc8C73W0u0qBldvWPl5Blb83Y NId7vc8NfNJ/lfLAj/xP7TPfbf4I5OpmAXTk3emYuode1dSKpQpe+Id3iyMcCMuxi0uV 4vQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Vx8hhnmiGUvFoZ/KyN0rtKd5uBKlcS0s0BPcVGEIgS0=; b=FJXURpijFHZzm2iOGAplv9gVLndxPGZwZD7wI951P32Jn4lNvMTeDxkHojqR3VLX44 rEL6yvmVVIxNF9tADEfmx/N6zeYEaC/9G5lw5J5SwmISdFuL9ggFVm4xvS2nO15xMp7o lxr9w0ModexBcxvG9b4hp7bz3WPqZEuYy6qtk9Y30ncgnW/bA/b4wTBB1YwM3bc9Z+h6 yHjPtnlHiPpIn22Vs7SJlcz3AEgchC/HFf5eC83pb7z7FAFNqdtKtMgHNrf467ZgXnw2 uhhNF2gbVMIoaAfyctGZ1NKxV+yKms4gDqL83HQKqcfs1cIEuycKPNUKRfBCVzOXHCfG SoLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pnD9SmUp; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d14si12636204pgn.390.2019.02.12.02.09.01; Tue, 12 Feb 2019 02:09:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pnD9SmUp; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728499AbfBLKJB (ORCPT + 3 others); Tue, 12 Feb 2019 05:09:01 -0500 Received: from mail-lf1-f67.google.com ([209.85.167.67]:41557 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728497AbfBLKJB (ORCPT ); Tue, 12 Feb 2019 05:09:01 -0500 Received: by mail-lf1-f67.google.com with SMTP id e27so1522405lfj.8 for ; Tue, 12 Feb 2019 02:08:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Vx8hhnmiGUvFoZ/KyN0rtKd5uBKlcS0s0BPcVGEIgS0=; b=pnD9SmUpluJ1bigdrp76uAOR5+iE/aMFuP4iMCxTGU/oJNPNTp3htWkfuKrXXatoOm BW87ukMXwWa28C8X344jODUboXY3afios+HVOhqeeJg28IdCsrSvZBbrTttfbtrasr+J HoMFXffyxGyqKKAFXHEfniP4reXuVt/exie9YekULlIVnOrHeHty1Xe7cBcbImK+VHjF l7w/GQxiRfvYBcBlCe5nbWmdL2BEGOMzB4QC/mr6ncantHXV1iCqFulovJxLbLzmldEw oH1tj8WZ9nXlkj01vmSccj5ALxxeAih7yaIh1H603qKEFC/0VA8m3oWWAPSFLF9kOcgl 0mKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Vx8hhnmiGUvFoZ/KyN0rtKd5uBKlcS0s0BPcVGEIgS0=; b=qDGMP87wfWd2A+kaBQ6U03Jblk4KzE0sxZOfEJ5l5VqbSPSKjrEBhBqqkDm2oXo58W EN71cAV7V1W1HzBPtSbBoIr/zkopkZrjVPPSuybgjqm8Vs/SWfpj+2/cWPjPEbNDJeao Tf/AdUla6H/Ilh5r2/CR597rWgeCG7Lm9NFt81LooYoq5zb/6tWa8JG3YRE+i/BTV3KT 5sPqQ/zw9xfd+ObvdQbBOlbG3tHOA16nEz3HACc8+u011hoVhzpNPWnjLesggqgnebun SvpNtdSi27LjLzwFMwpThWE3LfOxv31cF4/o4uLRfZEEPDW4G42PWpmngnUt4N2ybjPg 22Zw== X-Gm-Message-State: AHQUAuaJ5nDBZUw8nk7hftqm9Ou5QBc93AKh+7CmRMNHUXjtCEfbWlrC aOZM4ZseOn1UzvNqa1VNBbMarQ== X-Received: by 2002:ac2:51bc:: with SMTP id f28mr2026597lfk.123.1549966138409; Tue, 12 Feb 2019 02:08:58 -0800 (PST) Received: from localhost (c-573670d5.07-21-73746f28.bbcust.telenor.se. [213.112.54.87]) by smtp.gmail.com with ESMTPSA id 85-v6sm2610811lja.16.2019.02.12.02.08.57 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 12 Feb 2019 02:08:57 -0800 (PST) From: Anders Roxell To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, ard.biesheuvel@linaro.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, linux-efi@vger.kernel.org, platform-driver-x86@vger.kernel.org, Anders Roxell Subject: [PATCH 1/2] ima: fix build error redeclaration of enumerator Date: Tue, 12 Feb 2019 11:08:24 +0100 Message-Id: <20190212100825.9113-1-anders.roxell@linaro.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org Commit a893ea15d764 ("tpm: move tpm_chip definition to include/linux/tpm.h") introduced a build error when both ima and efi is enabled. What happens is that both headers (ima.h and efi.h) defines the same 'NONE' constant, and it broke when they started getting included from the same file. In file included from ../security/integrity/ima/ima_fs.c:30: ../security/integrity/ima/ima.h:176:7: error: redeclaration of enumerator "NONE" hook(NONE) \ ^~~~ ../security/integrity/ima/ima.h:188:34: note: in definition of macro "__ima_hook_enumify" #define __ima_hook_enumify(ENUM) ENUM, ^~~~ ../security/integrity/ima/ima.h:191:2: note: in expansion of macro "__ima_hooks" __ima_hooks(__ima_hook_enumify) ^~~~~~~~~~~ In file included from ../arch/arm64/include/asm/acpi.h:15, from ../include/acpi/acpi_io.h:7, from ../include/linux/acpi.h:47, from ../include/linux/tpm.h:26, from ../security/integrity/ima/ima.h:25, from ../security/integrity/ima/ima_fs.c:30: ../include/linux/efi.h:1723:2: note: previous definition of "NONE" was here NONE, ^~~~ make[4]: *** [../scripts/Makefile.build:277: security/integrity/ima/ima_fs.o] Error 1 Rework to prefix the ima enum with 'IMA_*'. Signed-off-by: Anders Roxell --- We only need one of the two patches applied. security/integrity/ima/ima.h | 24 +++--- security/integrity/ima/ima_api.c | 3 +- security/integrity/ima/ima_appraise.c | 40 +++++----- security/integrity/ima/ima_main.c | 30 +++---- security/integrity/ima/ima_policy.c | 110 +++++++++++++------------- 5 files changed, 104 insertions(+), 103 deletions(-) -- 2.20.1 Reviewed-by: Andy Shevchenko diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index d213e835c498..89ceb61f279c 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -173,18 +173,18 @@ static inline unsigned long ima_hash_key(u8 *digest) } #define __ima_hooks(hook) \ - hook(NONE) \ - hook(FILE_CHECK) \ - hook(MMAP_CHECK) \ - hook(BPRM_CHECK) \ - hook(CREDS_CHECK) \ - hook(POST_SETATTR) \ - hook(MODULE_CHECK) \ - hook(FIRMWARE_CHECK) \ - hook(KEXEC_KERNEL_CHECK) \ - hook(KEXEC_INITRAMFS_CHECK) \ - hook(POLICY_CHECK) \ - hook(MAX_CHECK) + hook(IMA_NONE) \ + hook(IMA_FILE_CHECK) \ + hook(IMA_MMAP_CHECK) \ + hook(IMA_BPRM_CHECK) \ + hook(IMA_CREDS_CHECK) \ + hook(IMA_POST_SETATTR) \ + hook(IMA_MODULE_CHECK) \ + hook(IMA_FIRMWARE_CHECK) \ + hook(IMA_KEXEC_KERNEL_CHECK) \ + hook(IMA_KEXEC_INITRAMFS_CHECK) \ + hook(IMA_POLICY_CHECK) \ + hook(IMA_MAX_CHECK) #define __ima_hook_enumify(ENUM) ENUM, enum ima_hooks { diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index c7505fb122d4..81e705423894 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -168,7 +168,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * The policy is defined in terms of keypairs: * subj=, obj=, type=, func=, mask=, fsmagic= * subj,obj, and type: are LSM specific. - * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK + * func: IMA_FILE_CHECK | IMA_BPRM_CHECK | IMA_CREDS_CHECK \ + * | IMA_MMAP_CHECK | IMA_MODULE_CHECK * mask: contains the permission mask * fsmagic: hex value * diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index a2baa85ea2f5..c527cf3f37d3 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -86,16 +86,16 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, enum ima_hooks func) { switch (func) { - case MMAP_CHECK: + case IMA_MMAP_CHECK: return iint->ima_mmap_status; - case BPRM_CHECK: + case IMA_BPRM_CHECK: return iint->ima_bprm_status; - case CREDS_CHECK: + case IMA_CREDS_CHECK: return iint->ima_creds_status; - case FILE_CHECK: - case POST_SETATTR: + case IMA_FILE_CHECK: + case IMA_POST_SETATTR: return iint->ima_file_status; - case MODULE_CHECK ... MAX_CHECK - 1: + case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1: default: return iint->ima_read_status; } @@ -106,19 +106,19 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint, enum integrity_status status) { switch (func) { - case MMAP_CHECK: + case IMA_MMAP_CHECK: iint->ima_mmap_status = status; break; - case BPRM_CHECK: + case IMA_BPRM_CHECK: iint->ima_bprm_status = status; break; - case CREDS_CHECK: + case IMA_CREDS_CHECK: iint->ima_creds_status = status; - case FILE_CHECK: - case POST_SETATTR: + case IMA_FILE_CHECK: + case IMA_POST_SETATTR: iint->ima_file_status = status; break; - case MODULE_CHECK ... MAX_CHECK - 1: + case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1: default: iint->ima_read_status = status; break; @@ -129,20 +129,20 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, enum ima_hooks func) { switch (func) { - case MMAP_CHECK: + case IMA_MMAP_CHECK: iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); break; - case BPRM_CHECK: + case IMA_BPRM_CHECK: iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); break; - case CREDS_CHECK: + case IMA_CREDS_CHECK: iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED); break; - case FILE_CHECK: - case POST_SETATTR: + case IMA_FILE_CHECK: + case IMA_POST_SETATTR: iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); break; - case MODULE_CHECK ... MAX_CHECK - 1: + case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1: default: iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED); break; @@ -298,7 +298,7 @@ int ima_appraise_measurement(enum ima_hooks func, break; } if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc && - func == KEXEC_KERNEL_CHECK) + func == IMA_KEXEC_KERNEL_CHECK) rc = integrity_digsig_verify(INTEGRITY_KEYRING_PLATFORM, (const char *)xattr_value, xattr_len, @@ -400,7 +400,7 @@ void ima_inode_post_setattr(struct dentry *dentry) || !(inode->i_opflags & IOP_XATTR)) return; - action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR); + action = ima_must_appraise(inode, MAY_ACCESS, IMA_POST_SETATTR); if (!action) __vfs_removexattr(dentry, XATTR_NAME_IMA); iint = integrity_iint_find(inode); diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 357edd140c09..1ddbe39cba8a 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -193,7 +193,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * Included is the appraise submask. */ action = ima_get_action(inode, cred, secid, mask, func, &pcr); - violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && + violation_check = ((func == IMA_FILE_CHECK || func == IMA_MMAP_CHECK) && (ima_policy_flag & IMA_MEASURE)); if (!action && !violation_check) return 0; @@ -202,7 +202,7 @@ static int process_measurement(struct file *file, const struct cred *cred, /* Is the appraise rule hook specific? */ if (action & IMA_FILE_APPRAISE) - func = FILE_CHECK; + func = IMA_FILE_CHECK; inode_lock(inode); @@ -340,7 +340,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) if (file && (prot & PROT_EXEC)) { security_task_getsecid(current, &secid); return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_EXEC, MMAP_CHECK); + 0, MAY_EXEC, IMA_MMAP_CHECK); } return 0; @@ -366,13 +366,13 @@ int ima_bprm_check(struct linux_binprm *bprm) security_task_getsecid(current, &secid); ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + MAY_EXEC, IMA_BPRM_CHECK); if (ret) return ret; security_cred_getsecid(bprm->cred, &secid); return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, - MAY_EXEC, CREDS_CHECK); + MAY_EXEC, IMA_CREDS_CHECK); } /** @@ -392,7 +392,7 @@ int ima_file_check(struct file *file, int mask) security_task_getsecid(current, &secid); return process_measurement(file, current_cred(), secid, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | - MAY_APPEND), FILE_CHECK); + MAY_APPEND), IMA_FILE_CHECK); } EXPORT_SYMBOL_GPL(ima_file_check); @@ -409,7 +409,7 @@ void ima_post_create_tmpfile(struct inode *inode) struct integrity_iint_cache *iint; int must_appraise; - must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); + must_appraise = ima_must_appraise(inode, MAY_ACCESS, IMA_FILE_CHECK); if (!must_appraise) return; @@ -436,7 +436,7 @@ void ima_post_path_mknod(struct dentry *dentry) struct inode *inode = dentry->d_inode; int must_appraise; - must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); + must_appraise = ima_must_appraise(inode, MAY_ACCESS, IMA_FILE_CHECK); if (!must_appraise) return; @@ -474,12 +474,12 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) } static const int read_idmap[READING_MAX_ID] = { - [READING_FIRMWARE] = FIRMWARE_CHECK, - [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, - [READING_MODULE] = MODULE_CHECK, - [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, - [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, - [READING_POLICY] = POLICY_CHECK + [READING_FIRMWARE] = IMA_FIRMWARE_CHECK, + [READING_FIRMWARE_PREALLOC_BUFFER] = IMA_FIRMWARE_CHECK, + [READING_MODULE] = IMA_MODULE_CHECK, + [READING_KEXEC_IMAGE] = IMA_KEXEC_KERNEL_CHECK, + [READING_KEXEC_INITRAMFS] = IMA_KEXEC_INITRAMFS_CHECK, + [READING_POLICY] = IMA_POLICY_CHECK }; /** @@ -520,7 +520,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, return 0; } - func = read_idmap[read_id] ?: FILE_CHECK; + func = read_idmap[read_id] ?: IMA_FILE_CHECK; security_task_getsecid(current, &secid); return process_measurement(file, current_cred(), secid, buf, size, MAY_READ, func); diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 26fa9d9723f6..1bd7b57b4503 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -112,31 +112,31 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { }; static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { - {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, + {.action = MEASURE, .func = IMA_MMAP_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, - {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, + {.action = MEASURE, .func = IMA_BPRM_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, - {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, + {.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, .flags = IMA_FUNC | IMA_MASK | IMA_UID}, - {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, - {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, + {.action = MEASURE, .func = IMA_MODULE_CHECK, .flags = IMA_FUNC}, + {.action = MEASURE, .func = IMA_FIRMWARE_CHECK, .flags = IMA_FUNC}, }; static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { - {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, + {.action = MEASURE, .func = IMA_MMAP_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, - {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, + {.action = MEASURE, .func = IMA_BPRM_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, - {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, + {.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, - {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, + {.action = MEASURE, .func = IMA_FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq, .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, - {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, - {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, - {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, + {.action = MEASURE, .func = IMA_MODULE_CHECK, .flags = IMA_FUNC}, + {.action = MEASURE, .func = IMA_FIRMWARE_CHECK, .flags = IMA_FUNC}, + {.action = MEASURE, .func = IMA_POLICY_CHECK, .flags = IMA_FUNC}, }; static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { @@ -155,7 +155,7 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC}, #ifdef CONFIG_IMA_WRITE_POLICY - {.action = APPRAISE, .func = POLICY_CHECK, + {.action = APPRAISE, .func = IMA_POLICY_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, #endif #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT @@ -170,31 +170,31 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { #ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS - {.action = APPRAISE, .func = MODULE_CHECK, + {.action = APPRAISE, .func = IMA_MODULE_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, #endif #ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS - {.action = APPRAISE, .func = FIRMWARE_CHECK, + {.action = APPRAISE, .func = IMA_FIRMWARE_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, #endif #ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS - {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, + {.action = APPRAISE, .func = IMA_KEXEC_KERNEL_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, #endif #ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS - {.action = APPRAISE, .func = POLICY_CHECK, + {.action = APPRAISE, .func = IMA_POLICY_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, #endif }; static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { - {.action = APPRAISE, .func = MODULE_CHECK, + {.action = APPRAISE, .func = IMA_MODULE_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, - {.action = APPRAISE, .func = FIRMWARE_CHECK, + {.action = APPRAISE, .func = IMA_FIRMWARE_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, - {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, + {.action = APPRAISE, .func = IMA_KEXEC_KERNEL_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, - {.action = APPRAISE, .func = POLICY_CHECK, + {.action = APPRAISE, .func = IMA_POLICY_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, }; @@ -292,13 +292,13 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, int i; if ((rule->flags & IMA_FUNC) && - (rule->func != func && func != POST_SETATTR)) + (rule->func != func && func != IMA_POST_SETATTR)) return false; if ((rule->flags & IMA_MASK) && - (rule->mask != mask && func != POST_SETATTR)) + (rule->mask != mask && func != IMA_POST_SETATTR)) return false; if ((rule->flags & IMA_INMASK) && - (!(rule->mask & mask) && func != POST_SETATTR)) + (!(rule->mask & mask) && func != IMA_POST_SETATTR)) return false; if ((rule->flags & IMA_FSMAGIC) && rule->fsmagic != inode->i_sb->s_magic) @@ -373,16 +373,16 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) return IMA_FILE_APPRAISE; switch (func) { - case MMAP_CHECK: + case IMA_MMAP_CHECK: return IMA_MMAP_APPRAISE; - case BPRM_CHECK: + case IMA_BPRM_CHECK: return IMA_BPRM_APPRAISE; - case CREDS_CHECK: + case IMA_CREDS_CHECK: return IMA_CREDS_APPRAISE; - case FILE_CHECK: - case POST_SETATTR: + case IMA_FILE_CHECK: + case IMA_POST_SETATTR: return IMA_FILE_APPRAISE; - case MODULE_CHECK ... MAX_CHECK - 1: + case IMA_MODULE_CHECK ... IMA_MAX_CHECK - 1: default: return IMA_READ_APPRAISE; } @@ -468,13 +468,13 @@ void ima_update_policy_flag(void) static int ima_appraise_flag(enum ima_hooks func) { - if (func == MODULE_CHECK) + if (func == IMA_MODULE_CHECK) return IMA_APPRAISE_MODULES; - else if (func == FIRMWARE_CHECK) + else if (func == IMA_FIRMWARE_CHECK) return IMA_APPRAISE_FIRMWARE; - else if (func == POLICY_CHECK) + else if (func == IMA_POLICY_CHECK) return IMA_APPRAISE_POLICY; - else if (func == KEXEC_KERNEL_CHECK) + else if (func == IMA_KEXEC_KERNEL_CHECK) return IMA_APPRAISE_KEXEC; return 0; } @@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count, } if (entries[i].action == APPRAISE) temp_ima_appraise |= ima_appraise_flag(entries[i].func); - if (entries[i].func == POLICY_CHECK) + if (entries[i].func == IMA_POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; } } @@ -845,30 +845,30 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (entry->func) result = -EINVAL; - if (strcmp(args[0].from, "FILE_CHECK") == 0) - entry->func = FILE_CHECK; + if (strcmp(args[0].from, "IMA_FILE_CHECK") == 0) + entry->func = IMA_FILE_CHECK; /* PATH_CHECK is for backwards compat */ else if (strcmp(args[0].from, "PATH_CHECK") == 0) - entry->func = FILE_CHECK; - else if (strcmp(args[0].from, "MODULE_CHECK") == 0) - entry->func = MODULE_CHECK; - else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0) - entry->func = FIRMWARE_CHECK; + entry->func = IMA_FILE_CHECK; + else if (strcmp(args[0].from, "IMA_MODULE_CHECK") == 0) + entry->func = IMA_MODULE_CHECK; + else if (strcmp(args[0].from, "IMA_FIRMWARE_CHECK") == 0) + entry->func = IMA_FIRMWARE_CHECK; else if ((strcmp(args[0].from, "FILE_MMAP") == 0) - || (strcmp(args[0].from, "MMAP_CHECK") == 0)) - entry->func = MMAP_CHECK; - else if (strcmp(args[0].from, "BPRM_CHECK") == 0) - entry->func = BPRM_CHECK; - else if (strcmp(args[0].from, "CREDS_CHECK") == 0) - entry->func = CREDS_CHECK; - else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == + || (strcmp(args[0].from, "IMA_MMAP_CHECK") == 0)) + entry->func = IMA_MMAP_CHECK; + else if (strcmp(args[0].from, "IMA_BPRM_CHECK") == 0) + entry->func = IMA_BPRM_CHECK; + else if (strcmp(args[0].from, "IMA_CREDS_CHECK") == 0) + entry->func = IMA_CREDS_CHECK; + else if (strcmp(args[0].from, "IMA_KEXEC_KERNEL_CHECK") == 0) - entry->func = KEXEC_KERNEL_CHECK; - else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") + entry->func = IMA_KEXEC_KERNEL_CHECK; + else if (strcmp(args[0].from, "IMA_KEXEC_INITRAMFS_CHECK") == 0) - entry->func = KEXEC_INITRAMFS_CHECK; - else if (strcmp(args[0].from, "POLICY_CHECK") == 0) - entry->func = POLICY_CHECK; + entry->func = IMA_KEXEC_INITRAMFS_CHECK; + else if (strcmp(args[0].from, "IMA_POLICY_CHECK") == 0) + entry->func = IMA_POLICY_CHECK; else result = -EINVAL; if (!result) @@ -1194,7 +1194,7 @@ void ima_policy_stop(struct seq_file *m, void *v) */ static void policy_func_show(struct seq_file *m, enum ima_hooks func) { - if (func > 0 && func < MAX_CHECK) + if (func > 0 && func < IMA_MAX_CHECK) seq_printf(m, "func=%s ", func_tokens[func]); else seq_printf(m, "func=%d ", func);