hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IAZ996 CVE: NA
Reference: https://lore.kernel.org/linux-integrity/9e3df65c2bf060b5833558e9f8d82dcd2fe9...
----------------------------------------------------------------------
Add a new security function ima_bprm_creds_for_exe() to support ima measure and appraise the indirect script calls. If script exec check is enabled, it will call ima_bprm_check() through security_bprm_creds_for_exec().
Signed-off-by: Huaxin Lu luhuaxin1@huawei.com Signed-off-by: Gu Bowen gubowen5@huawei.com --- include/linux/ima.h | 6 ++++++ security/integrity/ima/ima_main.c | 11 +++++++++++ security/security.c | 7 ++++++- 3 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h index 99bb44ca7116..2fef0f3a9c62 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -15,6 +15,7 @@ struct linux_binprm;
#ifdef CONFIG_IMA extern int ima_bprm_check(struct linux_binprm *bprm); +extern int ima_bprm_creds_for_exec(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct inode *inode); extern void ima_file_free(struct file *file); @@ -57,6 +58,11 @@ static inline int ima_bprm_check(struct linux_binprm *bprm) return 0; }
+static inline int ima_bprm_creds_for_exec(struct linux_binprm *bprm) +{ + return 0; +} + static inline int ima_file_check(struct file *file, int mask) { return 0; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c93626aa3eb5..ac5f82b2dd58 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -597,6 +597,17 @@ int ima_bprm_check(struct linux_binprm *bprm) MAY_EXEC, CREDS_CHECK); }
+/** + * ima_bprm_creds_for_exec - ima support exec check. + */ +int ima_bprm_creds_for_exec(struct linux_binprm *bprm) +{ + if (!bprm->is_check) + return 0; + + return ima_bprm_check(bprm); +} + /** * ima_path_check - based on policy, collect/store measurement. * @file: pointer to the file to be measured diff --git a/security/security.c b/security/security.c index e6a6482ae3cb..a67aa63c8c8b 100644 --- a/security/security.c +++ b/security/security.c @@ -859,7 +859,12 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) */ int security_bprm_creds_for_exec(struct linux_binprm *bprm) { - return call_int_hook(bprm_creds_for_exec, 0, bprm); + int ret; + + ret = call_int_hook(bprm_creds_for_exec, 0, bprm); + if (ret) + return ret; + return ima_bprm_creds_for_exec(bprm); }
int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file)