ima: define a new hook to measure and appraise a file already in memory

This patch defines a new IMA hook ima_post_read_file() for measuring and appraising files read by the kernel. The caller loads the file into memory before calling this function, which calculates the hash followed by the normal IMA policy based processing. Changelog v5: - fail ima_post_read_file() if either file or buf is NULL v3: - rename ima_hash_and_process_file() to ima_post_read_file() v1: - split patch Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2016-01-14 17:57:47 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2016-02-20 22:35:08 -0500
commit: cf2222178645e545e96717b2825601321ce4745c (patch)
tree: c13092b85aaf3207e2626c7da1102da0b5dfab36 /security/security.c
parent: 98304bcf71845e97c0b5c800ae619311156b66c1 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c
index 5b96eabaafd4..ef4c65a9fd17 100644
--- a/security/security.c
+++ b/security/security.c
@@ -913,7 +913,12 @@ int security_kernel_module_from_file(struct file *file)
 int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
 				   enum kernel_read_file_id id)
 {
-	return call_int_hook(kernel_post_read_file, 0, file, buf, size, id);
+	int ret;
+
+	ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id);
+	if (ret)
+		return ret;
+	return ima_post_read_file(file, buf, size, id);
 }
 EXPORT_SYMBOL_GPL(security_kernel_post_read_file);
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2016-01-14 17:57:47 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2016-02-20 22:35:08 -0500
commit	cf2222178645e545e96717b2825601321ce4745c (patch)
tree	c13092b85aaf3207e2626c7da1102da0b5dfab36 /security/security.c
parent	98304bcf71845e97c0b5c800ae619311156b66c1 (diff)