add new system file

hc

2024-02-20 102a0743326a03cd1a1202ceda21e175b7d3575c

 kernel/security/integrity/integrity.h
..
..
@@ -1,15 +1,16 @@
1
+/* SPDX-License-Identifier: GPL-2.0-only */
1
2
 /*
2
3
  * Copyright (C) 2009-2010 IBM Corporation
3
4
  *
4
5
  * Authors:
5
6
  * Mimi Zohar <zohar@us.ibm.com>
6
- *
7
- * This program is free software; you can redistribute it and/or
8
- * modify it under the terms of the GNU General Public License as
9
- * published by the Free Software Foundation, version 2 of the
10
- * License.
11
- *
12
7
  */
8
+
9
+#ifdef pr_fmt
10
+#undef pr_fmt
11
+#endif
12
+
13
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
14
 
14
15
 #include <linux/types.h>
15
16
 #include <linux/integrity.h>
..
..
@@ -36,6 +37,8 @@
36
37
 #define IMA_NEW_FILE		0x04000000
37
38
 #define EVM_IMMUTABLE_DIGSIG	0x08000000
38
39
 #define IMA_FAIL_UNVERIFIABLE_SIGS	0x10000000
40
+#define IMA_MODSIG_ALLOWED	0x20000000
41
+#define IMA_CHECK_BLACKLIST	0x40000000
39
42
 
40
43
 #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
41
44
 				 IMA_HASH | IMA_APPRAISE_SUBMASK)
..
..
@@ -79,6 +82,12 @@
79
82
 
80
83
 struct evm_ima_xattr_data {
81
84
 	u8 type;
85
+	u8 data[];
86
+} __packed;
87
+
88
+/* Only used in the EVM HMAC code. */
89
+struct evm_xattr {
90
+	struct evm_ima_xattr_data data;
82
91
 	u8 digest[SHA1_DIGEST_SIZE];
83
92
 } __packed;
84
93
 
..
..
@@ -98,7 +107,7 @@
98
107
 		} ng;
99
108
 		u8 data[2];
100
109
 	} xattr;
101
-	u8 digest[0];
110
+	u8 digest[];
102
111
 } __packed;
103
112
 
104
113
 /*
..
..
@@ -110,7 +119,7 @@
110
119
 	uint8_t	hash_algo;	/* Digest algorithm [enum hash_algo] */
111
120
 	__be32 keyid;		/* IMA key identifier - not X509/PGP specific */
112
121
 	__be16 sig_size;	/* signature size */
113
-	uint8_t sig[0];		/* signature payload */
122
+	uint8_t sig[];		/* signature payload */
114
123
 } __packed;
115
124
 
116
125
 /* integrity data associated with an inode */
..
..
@@ -141,18 +150,23 @@
141
150
 
142
151
 #define INTEGRITY_KEYRING_EVM		0
143
152
 #define INTEGRITY_KEYRING_IMA		1
144
-#define INTEGRITY_KEYRING_MODULE	2
153
+#define INTEGRITY_KEYRING_PLATFORM	2
145
154
 #define INTEGRITY_KEYRING_MAX		3
146
155
 
147
156
 extern struct dentry *integrity_dir;
157
+
158
+struct modsig;
148
159
 
149
160
 #ifdef CONFIG_INTEGRITY_SIGNATURE
150
161
 
151
162
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
152
163
 			    const char *digest, int digestlen);
164
+int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
153
165
 
154
166
 int __init integrity_init_keyring(const unsigned int id);
155
167
 int __init integrity_load_x509(const unsigned int id, const char *path);
168
+int __init integrity_load_cert(const unsigned int id, const char *source,
169
+			       const void *data, size_t len, key_perm_t perm);
156
170
 #else
157
171
 
158
172
 static inline int integrity_digsig_verify(const unsigned int id,
..
..
@@ -162,7 +176,21 @@
162
176
 	return -EOPNOTSUPP;
163
177
 }
164
178
 
179
+static inline int integrity_modsig_verify(unsigned int id,
180
+					  const struct modsig *modsig)
181
+{
182
+	return -EOPNOTSUPP;
183
+}
184
+
165
185
 static inline int integrity_init_keyring(const unsigned int id)
186
+{
187
+	return 0;
188
+}
189
+
190
+static inline int __init integrity_load_cert(const unsigned int id,
191
+					     const char *source,
192
+					     const void *data, size_t len,
193
+					     key_perm_t perm)
166
194
 {
167
195
 	return 0;
168
196
 }
..
..
@@ -174,6 +202,16 @@
174
202
 #else
175
203
 static inline int asymmetric_verify(struct key *keyring, const char *sig,
176
204
 				    int siglen, const char *data, int datalen)
205
+{
206
+	return -EOPNOTSUPP;
207
+}
208
+#endif
209
+
210
+#ifdef CONFIG_IMA_APPRAISE_MODSIG
211
+int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
212
+#else
213
+static inline int ima_modsig_verify(struct key *keyring,
214
+				    const struct modsig *modsig)
177
215
 {
178
216
 	return -EOPNOTSUPP;
179
217
 }
..
..
@@ -201,6 +239,11 @@
201
239
 			 const unsigned char *fname, const char *op,
202
240
 			 const char *cause, int result, int info);
203
241
 
242
+void integrity_audit_message(int audit_msgno, struct inode *inode,
243
+			     const unsigned char *fname, const char *op,
244
+			     const char *cause, int result, int info,
245
+			     int errno);
246
+
204
247
 static inline struct audit_buffer *
205
248
 integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
206
249
 {
..
..
@@ -215,6 +258,14 @@
215
258
 {
216
259
 }
217
260
 
261
+static inline void integrity_audit_message(int audit_msgno,
262
+					   struct inode *inode,
263
+					   const unsigned char *fname,
264
+					   const char *op, const char *cause,
265
+					   int result, int info, int errno)
266
+{
267
+}
268
+
218
269
 static inline struct audit_buffer *
219
270
 integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
220
271
 {
..
..
@@ -222,3 +273,13 @@
222
273
 }
223
274
 
224
275
 #endif
276
+
277
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
278
+void __init add_to_platform_keyring(const char *source, const void *data,
279
+				    size_t len);
280
+#else
281
+static inline void __init add_to_platform_keyring(const char *source,
282
+						  const void *data, size_t len)
283
+{
284
+}
285
+#endif