diff options
| author | Roberto Sassu <roberto.sassu@huawei.com> | 2024-02-15 11:30:50 +0100 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2024-02-15 23:43:38 -0500 |
| commit | 0298c5a9b168f0d74ea3bf881301c4bd9252d367 (patch) | |
| tree | 2d3aa59e5d533fc502468c694c99681f266211ee /security | |
| parent | bad5247a2c4f7eab6fb922af3362740a562dc665 (diff) | |
| download | linux-0298c5a9b168f0d74ea3bf881301c4bd9252d367.tar.gz linux-0298c5a9b168f0d74ea3bf881301c4bd9252d367.tar.bz2 linux-0298c5a9b168f0d74ea3bf881301c4bd9252d367.zip | |
ima: Align ima_file_mprotect() definition with LSM infrastructure
Change ima_file_mprotect() definition, so that it can be registered
as implementation of the file_mprotect hook.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 6 | ||||
| -rw-r--r-- | security/security.c | 2 |
2 files changed, 5 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index cc1217ac2c6f..b3f5e8401056 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -455,7 +455,8 @@ int ima_file_mmap(struct file *file, unsigned long reqprot, /** * ima_file_mprotect - based on policy, limit mprotect change * @vma: vm_area_struct protection is set to - * @prot: contains the protection that will be applied by the kernel. + * @reqprot: protection requested by the application + * @prot: protection that will be applied by the kernel * * Files can be mmap'ed read/write and later changed to execute to circumvent * IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore @@ -465,7 +466,8 @@ int ima_file_mmap(struct file *file, unsigned long reqprot, * * On mprotect change success, return 0. On failure, return -EACESS. */ -int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) +int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, + unsigned long prot) { struct ima_template_desc *template = NULL; struct file *file; diff --git a/security/security.c b/security/security.c index 3aaad75c9ce8..36933ac45d3b 100644 --- a/security/security.c +++ b/security/security.c @@ -2831,7 +2831,7 @@ int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot); if (ret) return ret; - return ima_file_mprotect(vma, prot); + return ima_file_mprotect(vma, reqprot, prot); } /** |