mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-07 13:53:24 +00:00
ima: Align ima_file_mprotect() definition with LSM infrastructure
Change ima_file_mprotect() definition, so that it can be registered as implementation of the file_mprotect hook. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
bad5247a2c
commit
0298c5a9b1
@ -23,7 +23,8 @@ extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
|
||||
extern void ima_file_free(struct file *file);
|
||||
extern int ima_file_mmap(struct file *file, unsigned long reqprot,
|
||||
unsigned long prot, unsigned long flags);
|
||||
extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
|
||||
extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
|
||||
unsigned long prot);
|
||||
extern int ima_load_data(enum kernel_load_data_id id, bool contents);
|
||||
extern int ima_post_load_data(char *buf, loff_t size,
|
||||
enum kernel_load_data_id id, char *description);
|
||||
@ -84,7 +85,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long reqprot,
|
||||
}
|
||||
|
||||
static inline int ima_file_mprotect(struct vm_area_struct *vma,
|
||||
unsigned long prot)
|
||||
unsigned long reqprot, unsigned long prot)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
@ -455,7 +455,8 @@ int ima_file_mmap(struct file *file, unsigned long reqprot,
|
||||
/**
|
||||
* ima_file_mprotect - based on policy, limit mprotect change
|
||||
* @vma: vm_area_struct protection is set to
|
||||
* @prot: contains the protection that will be applied by the kernel.
|
||||
* @reqprot: protection requested by the application
|
||||
* @prot: protection that will be applied by the kernel
|
||||
*
|
||||
* Files can be mmap'ed read/write and later changed to execute to circumvent
|
||||
* IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore
|
||||
@ -465,7 +466,8 @@ int ima_file_mmap(struct file *file, unsigned long reqprot,
|
||||
*
|
||||
* On mprotect change success, return 0. On failure, return -EACESS.
|
||||
*/
|
||||
int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
|
||||
int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
|
||||
unsigned long prot)
|
||||
{
|
||||
struct ima_template_desc *template = NULL;
|
||||
struct file *file;
|
||||
|
@ -2831,7 +2831,7 @@ int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
|
||||
ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot);
|
||||
if (ret)
|
||||
return ret;
|
||||
return ima_file_mprotect(vma, prot);
|
||||
return ima_file_mprotect(vma, reqprot, prot);
|
||||
}
|
||||
|
||||
/**
|
||||
|
Loading…
Reference in New Issue
Block a user