diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_main.c | 16 | ||||
-rw-r--r-- | security/security.c | 13 |
2 files changed, 29 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e9651be17b72..bbb80df28fb1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -338,6 +338,22 @@ int ima_module_check(struct file *file) } /** + * ima_read_file - pre-measure/appraise hook decision based on policy + * @file: pointer to the file to be measured/appraised/audit + * @read_id: caller identifier + * + * Permit reading a file based on policy. The policy rules are written + * in terms of the policy identifier. Appraising the integrity of + * a file requires a file descriptor. + * + * For permission return 0, otherwise return -EACCES. + */ +int ima_read_file(struct file *file, enum kernel_read_file_id read_id) +{ + return 0; +} + +/** * ima_post_read_file - in memory collect/appraise/audit measurement * @file: pointer to the file to be measured/appraised/audit * @buf: pointer to in memory file contents diff --git a/security/security.c b/security/security.c index cd85be61c416..8e699f98a600 100644 --- a/security/security.c +++ b/security/security.c @@ -899,6 +899,17 @@ int security_kernel_module_from_file(struct file *file) return ima_module_check(file); } +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id) +{ + int ret; + + ret = call_int_hook(kernel_read_file, 0, file, id); + if (ret) + return ret; + return ima_read_file(file, id); +} +EXPORT_SYMBOL_GPL(security_kernel_read_file); + int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id) { @@ -1696,6 +1707,8 @@ struct security_hook_heads security_hook_heads = { LIST_HEAD_INIT(security_hook_heads.kernel_module_request), .kernel_module_from_file = LIST_HEAD_INIT(security_hook_heads.kernel_module_from_file), + .kernel_read_file = + LIST_HEAD_INIT(security_hook_heads.kernel_read_file), .kernel_post_read_file = LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file), .task_fix_setuid = |