ima: Move IMA-Appraisal to LSM infrastructure
A few additional IMA hooks are needed to reset the cached appraisal status, causing the file's integrity to be re-evaluated on next access. Register these IMA-appraisal only functions separately from the rest of IMA functions, as appraisal is a separate feature not necessarily enabled in the kernel configuration. Reuse the same approach as for other IMA functions, move hardcoded calls from various places in the kernel to the LSM infrastructure. Declare the functions as static and register them as hook implementations in init_ima_appraise_lsm(), called by init_ima_lsm(). Also move the inline function ima_inode_remove_acl() from the public ima.h header to ima_appraise.c. Signed-off-by:Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by:
Stefan Berger <stefanb@linux.ibm.com> Reviewed-by:
Mimi Zohar <zohar@linux.ibm.com> Reviewed-by:
Casey Schaufler <casey@schaufler-ca.com> Acked-by:
Christian Brauner <brauner@kernel.org> Acked-by:
Paul Moore <paul@paul-moore.com>
Showing
- fs/attr.c 0 additions, 2 deletionsfs/attr.c
- include/linux/ima.h 0 additions, 55 deletionsinclude/linux/ima.h
- security/integrity/ima/ima.h 5 additions, 0 deletionssecurity/integrity/ima/ima.h
- security/integrity/ima/ima_appraise.c 29 additions, 9 deletionssecurity/integrity/ima/ima_appraise.c
- security/integrity/ima/ima_main.c 1 addition, 0 deletionssecurity/integrity/ima/ima_main.c
- security/security.c 0 additions, 13 deletionssecurity/security.c
Please register or sign in to comment