Skip to content

Commit 0c343af

Browse files
mjg59Mimi Zohar
authored andcommitted
integrity: Add an integrity directory in securityfs
We want to add additional evm control nodes, and it'd be preferable not to clutter up the securityfs root directory any further. Create a new integrity directory, move the ima directory into it, create an evm directory for the evm attribute and add compatibility symlinks. Signed-off-by: Matthew Garrett <[email protected]> Signed-off-by: Mimi Zohar <[email protected]>
1 parent 4ecd993 commit 0c343af

File tree

4 files changed

+52
-4
lines changed

4 files changed

+52
-4
lines changed

security/integrity/evm/evm_secfs.c

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,9 @@
1919
#include <linux/module.h>
2020
#include "evm.h"
2121

22+
static struct dentry *evm_dir;
2223
static struct dentry *evm_init_tpm;
24+
static struct dentry *evm_symlink;
2325

2426
/**
2527
* evm_read_key - read() for <securityfs>/evm
@@ -111,9 +113,28 @@ int __init evm_init_secfs(void)
111113
{
112114
int error = 0;
113115

114-
evm_init_tpm = securityfs_create_file("evm", S_IRUSR | S_IRGRP,
115-
NULL, NULL, &evm_key_ops);
116-
if (!evm_init_tpm || IS_ERR(evm_init_tpm))
116+
evm_dir = securityfs_create_dir("evm", integrity_dir);
117+
if (!evm_dir || IS_ERR(evm_dir))
118+
return -EFAULT;
119+
120+
evm_init_tpm = securityfs_create_file("evm", 0660,
121+
evm_dir, NULL, &evm_key_ops);
122+
if (!evm_init_tpm || IS_ERR(evm_init_tpm)) {
123+
error = -EFAULT;
124+
goto out;
125+
}
126+
127+
evm_symlink = securityfs_create_symlink("evm", NULL,
128+
"integrity/evm/evm", NULL);
129+
if (!evm_symlink || IS_ERR(evm_symlink)) {
117130
error = -EFAULT;
131+
goto out;
132+
}
133+
134+
return 0;
135+
out:
136+
securityfs_remove(evm_symlink);
137+
securityfs_remove(evm_init_tpm);
138+
securityfs_remove(evm_dir);
118139
return error;
119140
}

security/integrity/iint.c

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,15 @@
2121
#include <linux/rbtree.h>
2222
#include <linux/file.h>
2323
#include <linux/uaccess.h>
24+
#include <linux/security.h>
2425
#include "integrity.h"
2526

2627
static struct rb_root integrity_iint_tree = RB_ROOT;
2728
static DEFINE_RWLOCK(integrity_iint_lock);
2829
static struct kmem_cache *iint_cache __read_mostly;
2930

31+
struct dentry *integrity_dir;
32+
3033
/*
3134
* __integrity_iint_find - return the iint associated with an inode
3235
*/
@@ -211,3 +214,18 @@ void __init integrity_load_keys(void)
211214
ima_load_x509();
212215
evm_load_x509();
213216
}
217+
218+
static int __init integrity_fs_init(void)
219+
{
220+
integrity_dir = securityfs_create_dir("integrity", NULL);
221+
if (IS_ERR(integrity_dir)) {
222+
pr_err("Unable to create integrity sysfs dir: %ld\n",
223+
PTR_ERR(integrity_dir));
224+
integrity_dir = NULL;
225+
return PTR_ERR(integrity_dir);
226+
}
227+
228+
return 0;
229+
}
230+
231+
late_initcall(integrity_fs_init)

security/integrity/ima/ima_fs.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -359,6 +359,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
359359
}
360360

361361
static struct dentry *ima_dir;
362+
static struct dentry *ima_symlink;
362363
static struct dentry *binary_runtime_measurements;
363364
static struct dentry *ascii_runtime_measurements;
364365
static struct dentry *runtime_measurements_count;
@@ -453,10 +454,15 @@ static const struct file_operations ima_measure_policy_ops = {
453454

454455
int __init ima_fs_init(void)
455456
{
456-
ima_dir = securityfs_create_dir("ima", NULL);
457+
ima_dir = securityfs_create_dir("ima", integrity_dir);
457458
if (IS_ERR(ima_dir))
458459
return -1;
459460

461+
ima_symlink = securityfs_create_symlink("ima", NULL, "integrity/ima",
462+
NULL);
463+
if (IS_ERR(ima_symlink))
464+
goto out;
465+
460466
binary_runtime_measurements =
461467
securityfs_create_file("binary_runtime_measurements",
462468
S_IRUSR | S_IRGRP, ima_dir, NULL,
@@ -496,6 +502,7 @@ int __init ima_fs_init(void)
496502
securityfs_remove(runtime_measurements_count);
497503
securityfs_remove(ascii_runtime_measurements);
498504
securityfs_remove(binary_runtime_measurements);
505+
securityfs_remove(ima_symlink);
499506
securityfs_remove(ima_dir);
500507
securityfs_remove(ima_policy);
501508
return -1;

security/integrity/integrity.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
143143
#define INTEGRITY_KEYRING_MODULE 2
144144
#define INTEGRITY_KEYRING_MAX 3
145145

146+
extern struct dentry *integrity_dir;
147+
146148
#ifdef CONFIG_INTEGRITY_SIGNATURE
147149

148150
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,

0 commit comments

Comments
 (0)