diff options
Diffstat (limited to 'security/loadpin/loadpin.c')
| -rw-r--r-- | security/loadpin/loadpin.c | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index ebae964f7cc9..273ffbd6defe 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -20,6 +20,7 @@ #include <linux/string_helpers.h> #include <linux/dm-verity-loadpin.h> #include <uapi/linux/loadpin.h> +#include <uapi/linux/lsm.h> #define VERITY_DIGEST_FILE_HEADER "# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS" @@ -62,7 +63,6 @@ static struct ctl_table loadpin_sysctl_table[] = { .extra1 = SYSCTL_ONE, .extra2 = SYSCTL_ONE, }, - { } }; static void set_sysctl(bool is_writable) @@ -208,6 +208,11 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents) return loadpin_check(NULL, (enum kernel_read_file_id) id); } +static const struct lsm_id loadpin_lsmid = { + .name = "loadpin", + .id = LSM_ID_LOADPIN, +}; + static struct security_hook_list loadpin_hooks[] __ro_after_init = { LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), @@ -259,16 +264,12 @@ static int __init loadpin_init(void) if (!register_sysctl("kernel/loadpin", loadpin_sysctl_table)) pr_notice("sysctl registration failed!\n"); #endif - security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); + security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), + &loadpin_lsmid); return 0; } -DEFINE_LSM(loadpin) = { - .name = "loadpin", - .init = loadpin_init, -}; - #ifdef CONFIG_SECURITY_LOADPIN_VERITY enum loadpin_securityfs_interface_index { @@ -277,7 +278,6 @@ enum loadpin_securityfs_interface_index { static int read_trusted_verity_root_digests(unsigned int fd) { - struct fd f; void *data; int rc; char *p, *d; @@ -289,8 +289,8 @@ static int read_trusted_verity_root_digests(unsigned int fd) if (!list_empty(&dm_verity_loadpin_trusted_root_digests)) return -EPERM; - f = fdget(fd); - if (!f.file) + CLASS(fd, f)(fd); + if (fd_empty(f)) return -EINVAL; data = kzalloc(SZ_4K, GFP_KERNEL); @@ -299,7 +299,7 @@ static int read_trusted_verity_root_digests(unsigned int fd) goto err; } - rc = kernel_read_file(f.file, 0, (void **)&data, SZ_4K - 1, NULL, READING_POLICY); + rc = kernel_read_file(fd_file(f), 0, (void **)&data, SZ_4K - 1, NULL, READING_POLICY); if (rc < 0) goto err; @@ -336,6 +336,7 @@ static int read_trusted_verity_root_digests(unsigned int fd) rc = -ENOMEM; goto err; } + trd->len = len; if (hex2bin(trd->data, d, len)) { kfree(trd); @@ -343,8 +344,6 @@ static int read_trusted_verity_root_digests(unsigned int fd) goto err; } - trd->len = len; - list_add_tail(&trd->node, &dm_verity_loadpin_trusted_root_digests); } @@ -354,7 +353,6 @@ static int read_trusted_verity_root_digests(unsigned int fd) } kfree(data); - fdput(f); return 0; @@ -374,8 +372,6 @@ err: /* disallow further attempts after reading a corrupt/invalid file */ deny_reading_verity_digests = true; - fdput(f); - return rc; } @@ -433,9 +429,15 @@ static int __init init_loadpin_securityfs(void) return 0; } -fs_initcall(init_loadpin_securityfs); +#endif /* CONFIG_SECURITY_LOADPIN_VERITY */ +DEFINE_LSM(loadpin) = { + .id = &loadpin_lsmid, + .init = loadpin_init, +#ifdef CONFIG_SECURITY_LOADPIN_VERITY + .initcall_fs = init_loadpin_securityfs, #endif /* CONFIG_SECURITY_LOADPIN_VERITY */ +}; /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ module_param(enforce, int, 0); |