[PATCH OLK-6.6 4/4] IMA support bprm_creds_for_exec

30 Oct 2024

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/IAZ996
CVE: NA
Reference: https://lore.kernel.org/linux-integrity/9e3df65c2bf060b5833558e9f8d82dcd2fe9...
----------------------------------------------------------------------
Support ima measure and appraise the indirect script calls. If script exec
check is enabled, it will call ima_bprm_check() through
security_bprm_creds_for_exec().
Signed-off-by: Huaxin Lu luhuaxin1@huawei.com
Signed-off-by: Gu Bowen gubowen5@huawei.com
---
 include/linux/ima.h               |  1 +
 security/integrity/ima/ima_main.c | 11 +++++++++++
 security/security.c               |  7 ++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h
index 86b57757c7b1..76d0f71d7955 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -17,6 +17,7 @@ struct linux_binprm;
 #ifdef CONFIG_IMA
 extern enum hash_algo ima_get_current_hash_algo(void);
 extern int ima_bprm_check(struct linux_binprm *bprm);
+extern int ima_bprm_creds_for_exec(struct linux_binprm *bprm);
 extern int ima_file_check(struct file *file, int mask);
 extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
    			    struct inode *inode);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5358ca2d8aaf..b167b649ba31 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -638,6 +638,17 @@ int ima_bprm_check(struct linux_binprm *bprm)
    			   MAY_EXEC, CREDS_CHECK);
 }
+/**
+ * ima_bprm_creds_for_exec - ima support exec check.
+ */
+int ima_bprm_creds_for_exec(struct linux_binprm *bprm)
+{
+	if (!bprm->is_check)
+		return 0;
+
+	return ima_bprm_check(bprm);
+}
+
 /**
  * ima_file_check - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured
diff --git a/security/security.c b/security/security.c
index df5977b9ac9a..603e6260d63d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1063,7 +1063,12 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
  */
 int security_bprm_creds_for_exec(struct linux_binprm *bprm)
 {
-	return call_int_hook(bprm_creds_for_exec, 0, bprm);
+	int ret;
+
+	ret = call_int_hook(bprm_creds_for_exec, 0, bprm);
+	if (ret)
+		return ret;
+	return ima_bprm_creds_for_exec(bprm);
 }
/**
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH OLK-6.6 4/4] IMA support bprm_creds_for_exec