1
linux/security/integrity/iint.c
Roberto Sassu b6c0dec9f7 integrity: Remove LSM
Since now IMA and EVM use their own integrity metadata, it is safe to
remove the 'integrity' LSM, with its management of integrity metadata.

Keep the iint.c file only for loading IMA and EVM keys at boot, and for
creating the integrity directory in securityfs (we need to keep it for
retrocompatibility reasons).

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-15 23:43:48 -05:00

62 lines
1.3 KiB
C

// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (C) 2008 IBM Corporation
*
* Authors:
* Mimi Zohar <zohar@us.ibm.com>
*
* File: integrity_iint.c
* - initialize the integrity directory in securityfs
* - load IMA and EVM keys
*/
#include <linux/security.h>
#include "integrity.h"
struct dentry *integrity_dir;
/*
* integrity_kernel_read - read data from the file
*
* This is a function for reading file content instead of kernel_read().
* It does not perform locking checks to ensure it cannot be blocked.
* It does not perform security checks because it is irrelevant for IMA.
*
*/
int integrity_kernel_read(struct file *file, loff_t offset,
void *addr, unsigned long count)
{
return __kernel_read(file, addr, count, &offset);
}
/*
* integrity_load_keys - load integrity keys hook
*
* Hooks is called from init/main.c:kernel_init_freeable()
* when rootfs is ready
*/
void __init integrity_load_keys(void)
{
ima_load_x509();
if (!IS_ENABLED(CONFIG_IMA_LOAD_X509))
evm_load_x509();
}
static int __init integrity_fs_init(void)
{
integrity_dir = securityfs_create_dir("integrity", NULL);
if (IS_ERR(integrity_dir)) {
int ret = PTR_ERR(integrity_dir);
if (ret != -ENODEV)
pr_err("Unable to create integrity sysfs dir: %d\n",
ret);
integrity_dir = NULL;
return ret;
}
return 0;
}
late_initcall(integrity_fs_init)