Commit 33b25335184b33dafddb4a83c27270947e525641
Exists in
master
and in
13 other branches
Merge branch 'next-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar…
…/linux-integrity into next
Showing 20 changed files Side-by-side Diff
- MAINTAINERS
- include/linux/fs.h
- security/integrity/evm/Kconfig
- security/integrity/evm/evm.h
- security/integrity/evm/evm_crypto.c
- security/integrity/evm/evm_main.c
- security/integrity/evm/evm_secfs.c
- security/integrity/iint.c
- security/integrity/ima/ima.h
- security/integrity/ima/ima_api.c
- security/integrity/ima/ima_appraise.c
- security/integrity/ima/ima_crypto.c
- security/integrity/ima/ima_fs.c
- security/integrity/ima/ima_init.c
- security/integrity/ima/ima_main.c
- security/integrity/ima/ima_policy.c
- security/integrity/ima/ima_queue.c
- security/integrity/ima/ima_template.c
- security/integrity/ima/ima_template_lib.c
- security/integrity/integrity_audit.c
MAINTAINERS
... | ... | @@ -3325,7 +3325,9 @@ |
3325 | 3325 | F: fs/ext4/ |
3326 | 3326 | |
3327 | 3327 | Extended Verification Module (EVM) |
3328 | -M: Mimi Zohar <zohar@us.ibm.com> | |
3328 | +M: Mimi Zohar <zohar@linux.vnet.ibm.com> | |
3329 | +L: linux-ima-devel@lists.sourceforge.net | |
3330 | +L: linux-security-module@vger.kernel.org | |
3329 | 3331 | S: Supported |
3330 | 3332 | F: security/integrity/evm/ |
3331 | 3333 | |
3332 | 3334 | |
... | ... | @@ -4339,8 +4341,11 @@ |
4339 | 4341 | F: drivers/ipack/ |
4340 | 4342 | |
4341 | 4343 | INTEGRITY MEASUREMENT ARCHITECTURE (IMA) |
4342 | -M: Mimi Zohar <zohar@us.ibm.com> | |
4344 | +M: Mimi Zohar <zohar@linux.vnet.ibm.com> | |
4343 | 4345 | M: Dmitry Kasatkin <d.kasatkin@samsung.com> |
4346 | +L: linux-ima-devel@lists.sourceforge.net | |
4347 | +L: linux-ima-user@lists.sourceforge.net | |
4348 | +L: linux-security-module@vger.kernel.org | |
4344 | 4349 | S: Supported |
4345 | 4350 | F: security/integrity/ima/ |
4346 | 4351 | |
... | ... | @@ -5003,8 +5008,8 @@ |
5003 | 5008 | F: security/keys/ |
5004 | 5009 | |
5005 | 5010 | KEYS-TRUSTED |
5006 | -M: David Safford <safford@watson.ibm.com> | |
5007 | -M: Mimi Zohar <zohar@us.ibm.com> | |
5011 | +M: David Safford <safford@us.ibm.com> | |
5012 | +M: Mimi Zohar <zohar@linux.vnet.ibm.com> | |
5008 | 5013 | L: linux-security-module@vger.kernel.org |
5009 | 5014 | L: keyrings@linux-nfs.org |
5010 | 5015 | S: Supported |
... | ... | @@ -5014,8 +5019,8 @@ |
5014 | 5019 | F: security/keys/trusted.h |
5015 | 5020 | |
5016 | 5021 | KEYS-ENCRYPTED |
5017 | -M: Mimi Zohar <zohar@us.ibm.com> | |
5018 | -M: David Safford <safford@watson.ibm.com> | |
5022 | +M: Mimi Zohar <zohar@linux.vnet.ibm.com> | |
5023 | +M: David Safford <safford@us.ibm.com> | |
5019 | 5024 | L: linux-security-module@vger.kernel.org |
5020 | 5025 | L: keyrings@linux-nfs.org |
5021 | 5026 | S: Supported |
include/linux/fs.h
... | ... | @@ -586,6 +586,9 @@ |
586 | 586 | atomic_t i_count; |
587 | 587 | atomic_t i_dio_count; |
588 | 588 | atomic_t i_writecount; |
589 | +#ifdef CONFIG_IMA | |
590 | + atomic_t i_readcount; /* struct files open RO */ | |
591 | +#endif | |
589 | 592 | const struct file_operations *i_fop; /* former ->i_op->default_file_ops */ |
590 | 593 | struct file_lock *i_flock; |
591 | 594 | struct address_space i_data; |
... | ... | @@ -606,9 +609,6 @@ |
606 | 609 | struct hlist_head i_fsnotify_marks; |
607 | 610 | #endif |
608 | 611 | |
609 | -#ifdef CONFIG_IMA | |
610 | - atomic_t i_readcount; /* struct files open RO */ | |
611 | -#endif | |
612 | 612 | void *i_private; /* fs or device private pointer */ |
613 | 613 | }; |
614 | 614 |
security/integrity/evm/Kconfig
1 | 1 | config EVM |
2 | 2 | boolean "EVM support" |
3 | - depends on SECURITY && KEYS && (TRUSTED_KEYS=y || TRUSTED_KEYS=n) | |
3 | + depends on SECURITY | |
4 | + select KEYS | |
5 | + select ENCRYPTED_KEYS | |
4 | 6 | select CRYPTO_HMAC |
5 | - select CRYPTO_MD5 | |
6 | 7 | select CRYPTO_SHA1 |
7 | - select ENCRYPTED_KEYS | |
8 | 8 | default n |
9 | 9 | help |
10 | 10 | EVM protects a file's security extended attributes against |
security/integrity/evm/evm.h
... | ... | @@ -32,20 +32,20 @@ |
32 | 32 | /* List of EVM protected security xattrs */ |
33 | 33 | extern char *evm_config_xattrnames[]; |
34 | 34 | |
35 | -extern int evm_init_key(void); | |
36 | -extern int evm_update_evmxattr(struct dentry *dentry, | |
37 | - const char *req_xattr_name, | |
38 | - const char *req_xattr_value, | |
39 | - size_t req_xattr_value_len); | |
40 | -extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, | |
41 | - const char *req_xattr_value, | |
42 | - size_t req_xattr_value_len, char *digest); | |
43 | -extern int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name, | |
44 | - const char *req_xattr_value, | |
45 | - size_t req_xattr_value_len, char *digest); | |
46 | -extern int evm_init_hmac(struct inode *inode, const struct xattr *xattr, | |
47 | - char *hmac_val); | |
48 | -extern int evm_init_secfs(void); | |
35 | +int evm_init_key(void); | |
36 | +int evm_update_evmxattr(struct dentry *dentry, | |
37 | + const char *req_xattr_name, | |
38 | + const char *req_xattr_value, | |
39 | + size_t req_xattr_value_len); | |
40 | +int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, | |
41 | + const char *req_xattr_value, | |
42 | + size_t req_xattr_value_len, char *digest); | |
43 | +int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name, | |
44 | + const char *req_xattr_value, | |
45 | + size_t req_xattr_value_len, char *digest); | |
46 | +int evm_init_hmac(struct inode *inode, const struct xattr *xattr, | |
47 | + char *hmac_val); | |
48 | +int evm_init_secfs(void); | |
49 | 49 | |
50 | 50 | #endif |
security/integrity/evm/evm_crypto.c
... | ... | @@ -13,6 +13,8 @@ |
13 | 13 | * Using root's kernel master key (kmk), calculate the HMAC |
14 | 14 | */ |
15 | 15 | |
16 | +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
17 | + | |
16 | 18 | #include <linux/module.h> |
17 | 19 | #include <linux/crypto.h> |
18 | 20 | #include <linux/xattr.h> |
19 | 21 | |
... | ... | @@ -103,13 +105,13 @@ |
103 | 105 | umode_t mode; |
104 | 106 | } hmac_misc; |
105 | 107 | |
106 | - memset(&hmac_misc, 0, sizeof hmac_misc); | |
108 | + memset(&hmac_misc, 0, sizeof(hmac_misc)); | |
107 | 109 | hmac_misc.ino = inode->i_ino; |
108 | 110 | hmac_misc.generation = inode->i_generation; |
109 | 111 | hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid); |
110 | 112 | hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); |
111 | 113 | hmac_misc.mode = inode->i_mode; |
112 | - crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc); | |
114 | + crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc)); | |
113 | 115 | if (evm_hmac_version > 1) |
114 | 116 | crypto_shash_update(desc, inode->i_sb->s_uuid, |
115 | 117 | sizeof(inode->i_sb->s_uuid)); |
... | ... | @@ -221,7 +223,7 @@ |
221 | 223 | |
222 | 224 | desc = init_desc(EVM_XATTR_HMAC); |
223 | 225 | if (IS_ERR(desc)) { |
224 | - printk(KERN_INFO "init_desc failed\n"); | |
226 | + pr_info("init_desc failed\n"); | |
225 | 227 | return PTR_ERR(desc); |
226 | 228 | } |
227 | 229 |
security/integrity/evm/evm_main.c
... | ... | @@ -14,6 +14,8 @@ |
14 | 14 | * evm_inode_removexattr, and evm_verifyxattr |
15 | 15 | */ |
16 | 16 | |
17 | +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
18 | + | |
17 | 19 | #include <linux/module.h> |
18 | 20 | #include <linux/crypto.h> |
19 | 21 | #include <linux/audit.h> |
... | ... | @@ -432,7 +434,7 @@ |
432 | 434 | |
433 | 435 | error = evm_init_secfs(); |
434 | 436 | if (error < 0) { |
435 | - printk(KERN_INFO "EVM: Error registering secfs\n"); | |
437 | + pr_info("Error registering secfs\n"); | |
436 | 438 | goto err; |
437 | 439 | } |
438 | 440 | |
... | ... | @@ -449,7 +451,7 @@ |
449 | 451 | char **xattrname; |
450 | 452 | |
451 | 453 | for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) |
452 | - printk(KERN_INFO "EVM: %s\n", *xattrname); | |
454 | + pr_info("%s\n", *xattrname); | |
453 | 455 | return 0; |
454 | 456 | } |
455 | 457 |
security/integrity/evm/evm_secfs.c
... | ... | @@ -13,6 +13,8 @@ |
13 | 13 | * - Get the key and enable EVM |
14 | 14 | */ |
15 | 15 | |
16 | +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
17 | + | |
16 | 18 | #include <linux/uaccess.h> |
17 | 19 | #include <linux/module.h> |
18 | 20 | #include "evm.h" |
19 | 21 | |
... | ... | @@ -79,9 +81,9 @@ |
79 | 81 | error = evm_init_key(); |
80 | 82 | if (!error) { |
81 | 83 | evm_initialized = 1; |
82 | - pr_info("EVM: initialized\n"); | |
84 | + pr_info("initialized\n"); | |
83 | 85 | } else |
84 | - pr_err("EVM: initialization failed\n"); | |
86 | + pr_err("initialization failed\n"); | |
85 | 87 | return count; |
86 | 88 | } |
87 | 89 |
security/integrity/iint.c
security/integrity/ima/ima.h
... | ... | @@ -27,7 +27,7 @@ |
27 | 27 | #include "../integrity.h" |
28 | 28 | |
29 | 29 | enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN, |
30 | - IMA_SHOW_ASCII }; | |
30 | + IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII }; | |
31 | 31 | enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; |
32 | 32 | |
33 | 33 | /* digest size for IMA, fits SHA1 or MD5 */ |
security/integrity/ima/ima_api.c
... | ... | @@ -92,8 +92,8 @@ |
92 | 92 | int violation, struct inode *inode, |
93 | 93 | const unsigned char *filename) |
94 | 94 | { |
95 | - const char *op = "add_template_measure"; | |
96 | - const char *audit_cause = "hashing_error"; | |
95 | + static const char op[] = "add_template_measure"; | |
96 | + static const char audit_cause[] = "hashing_error"; | |
97 | 97 | char *template_name = entry->template_desc->name; |
98 | 98 | int result; |
99 | 99 | struct { |
... | ... | @@ -132,7 +132,7 @@ |
132 | 132 | const char *op, const char *cause) |
133 | 133 | { |
134 | 134 | struct ima_template_entry *entry; |
135 | - struct inode *inode = file->f_dentry->d_inode; | |
135 | + struct inode *inode = file_inode(file); | |
136 | 136 | int violation = 1; |
137 | 137 | int result; |
138 | 138 | |
139 | 139 | |
... | ... | @@ -160,10 +160,10 @@ |
160 | 160 | * @function: calling function (FILE_CHECK, BPRM_CHECK, MMAP_CHECK, MODULE_CHECK) |
161 | 161 | * |
162 | 162 | * The policy is defined in terms of keypairs: |
163 | - * subj=, obj=, type=, func=, mask=, fsmagic= | |
163 | + * subj=, obj=, type=, func=, mask=, fsmagic= | |
164 | 164 | * subj,obj, and type: are LSM specific. |
165 | - * func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK | |
166 | - * mask: contains the permission mask | |
165 | + * func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK | |
166 | + * mask: contains the permission mask | |
167 | 167 | * fsmagic: hex value |
168 | 168 | * |
169 | 169 | * Returns IMA_MEASURE, IMA_APPRAISE mask. |
... | ... | @@ -248,7 +248,7 @@ |
248 | 248 | * |
249 | 249 | * We only get here if the inode has not already been measured, |
250 | 250 | * but the measurement could already exist: |
251 | - * - multiple copies of the same file on either the same or | |
251 | + * - multiple copies of the same file on either the same or | |
252 | 252 | * different filesystems. |
253 | 253 | * - the inode was previously flushed as well as the iint info, |
254 | 254 | * containing the hashing info. |
... | ... | @@ -260,8 +260,8 @@ |
260 | 260 | struct evm_ima_xattr_data *xattr_value, |
261 | 261 | int xattr_len) |
262 | 262 | { |
263 | - const char *op = "add_template_measure"; | |
264 | - const char *audit_cause = "ENOMEM"; | |
263 | + static const char op[] = "add_template_measure"; | |
264 | + static const char audit_cause[] = "ENOMEM"; | |
265 | 265 | int result = -ENOMEM; |
266 | 266 | struct inode *inode = file_inode(file); |
267 | 267 | struct ima_template_entry *entry; |
... | ... | @@ -332,6 +332,6 @@ |
332 | 332 | pathname = NULL; |
333 | 333 | } |
334 | 334 | } |
335 | - return pathname; | |
335 | + return pathname ?: (const char *)path->dentry->d_name.name; | |
336 | 336 | } |
security/integrity/ima/ima_appraise.c
... | ... | @@ -177,11 +177,11 @@ |
177 | 177 | struct evm_ima_xattr_data *xattr_value, |
178 | 178 | int xattr_len) |
179 | 179 | { |
180 | + static const char op[] = "appraise_data"; | |
181 | + char *cause = "unknown"; | |
180 | 182 | struct dentry *dentry = file->f_dentry; |
181 | 183 | struct inode *inode = dentry->d_inode; |
182 | 184 | enum integrity_status status = INTEGRITY_UNKNOWN; |
183 | - const char *op = "appraise_data"; | |
184 | - char *cause = "unknown"; | |
185 | 185 | int rc = xattr_len, hash_start = 0; |
186 | 186 | |
187 | 187 | if (!ima_appraise) |
security/integrity/ima/ima_crypto.c
... | ... | @@ -10,9 +10,11 @@ |
10 | 10 | * the Free Software Foundation, version 2 of the License. |
11 | 11 | * |
12 | 12 | * File: ima_crypto.c |
13 | - * Calculates md5/sha1 file hash, template hash, boot-aggreate hash | |
13 | + * Calculates md5/sha1 file hash, template hash, boot-aggreate hash | |
14 | 14 | */ |
15 | 15 | |
16 | +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
17 | + | |
16 | 18 | #include <linux/kernel.h> |
17 | 19 | #include <linux/file.h> |
18 | 20 | #include <linux/crypto.h> |
19 | 21 | |
20 | 22 | |
... | ... | @@ -85,16 +87,20 @@ |
85 | 87 | if (rc != 0) |
86 | 88 | return rc; |
87 | 89 | |
88 | - rbuf = kzalloc(PAGE_SIZE, GFP_KERNEL); | |
89 | - if (!rbuf) { | |
90 | - rc = -ENOMEM; | |
90 | + i_size = i_size_read(file_inode(file)); | |
91 | + | |
92 | + if (i_size == 0) | |
91 | 93 | goto out; |
92 | - } | |
94 | + | |
95 | + rbuf = kzalloc(PAGE_SIZE, GFP_KERNEL); | |
96 | + if (!rbuf) | |
97 | + return -ENOMEM; | |
98 | + | |
93 | 99 | if (!(file->f_mode & FMODE_READ)) { |
94 | 100 | file->f_mode |= FMODE_READ; |
95 | 101 | read = 1; |
96 | 102 | } |
97 | - i_size = i_size_read(file_inode(file)); | |
103 | + | |
98 | 104 | while (offset < i_size) { |
99 | 105 | int rbuf_len; |
100 | 106 | |
101 | 107 | |
102 | 108 | |
... | ... | @@ -111,12 +117,12 @@ |
111 | 117 | if (rc) |
112 | 118 | break; |
113 | 119 | } |
114 | - kfree(rbuf); | |
115 | - if (!rc) | |
116 | - rc = crypto_shash_final(&desc.shash, hash->digest); | |
117 | 120 | if (read) |
118 | 121 | file->f_mode &= ~FMODE_READ; |
122 | + kfree(rbuf); | |
119 | 123 | out: |
124 | + if (!rc) | |
125 | + rc = crypto_shash_final(&desc.shash, hash->digest); | |
120 | 126 | return rc; |
121 | 127 | } |
122 | 128 | |
123 | 129 | |
124 | 130 | |
... | ... | @@ -161,15 +167,22 @@ |
161 | 167 | return rc; |
162 | 168 | |
163 | 169 | for (i = 0; i < num_fields; i++) { |
170 | + u8 buffer[IMA_EVENT_NAME_LEN_MAX + 1] = { 0 }; | |
171 | + u8 *data_to_hash = field_data[i].data; | |
172 | + u32 datalen = field_data[i].len; | |
173 | + | |
164 | 174 | if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) { |
165 | 175 | rc = crypto_shash_update(&desc.shash, |
166 | 176 | (const u8 *) &field_data[i].len, |
167 | 177 | sizeof(field_data[i].len)); |
168 | 178 | if (rc) |
169 | 179 | break; |
180 | + } else if (strcmp(td->fields[i]->field_id, "n") == 0) { | |
181 | + memcpy(buffer, data_to_hash, datalen); | |
182 | + data_to_hash = buffer; | |
183 | + datalen = IMA_EVENT_NAME_LEN_MAX + 1; | |
170 | 184 | } |
171 | - rc = crypto_shash_update(&desc.shash, field_data[i].data, | |
172 | - field_data[i].len); | |
185 | + rc = crypto_shash_update(&desc.shash, data_to_hash, datalen); | |
173 | 186 | if (rc) |
174 | 187 | break; |
175 | 188 | } |
... | ... | @@ -205,7 +218,7 @@ |
205 | 218 | return; |
206 | 219 | |
207 | 220 | if (tpm_pcr_read(TPM_ANY_NUM, idx, pcr) != 0) |
208 | - pr_err("IMA: Error Communicating to TPM chip\n"); | |
221 | + pr_err("Error Communicating to TPM chip\n"); | |
209 | 222 | } |
210 | 223 | |
211 | 224 | /* |
security/integrity/ima/ima_fs.c
... | ... | @@ -133,14 +133,14 @@ |
133 | 133 | * PCR used is always the same (config option) in |
134 | 134 | * little-endian format |
135 | 135 | */ |
136 | - ima_putc(m, &pcr, sizeof pcr); | |
136 | + ima_putc(m, &pcr, sizeof(pcr)); | |
137 | 137 | |
138 | 138 | /* 2nd: template digest */ |
139 | 139 | ima_putc(m, e->digest, TPM_DIGEST_SIZE); |
140 | 140 | |
141 | 141 | /* 3rd: template name size */ |
142 | 142 | namelen = strlen(e->template_desc->name); |
143 | - ima_putc(m, &namelen, sizeof namelen); | |
143 | + ima_putc(m, &namelen, sizeof(namelen)); | |
144 | 144 | |
145 | 145 | /* 4th: template name */ |
146 | 146 | ima_putc(m, e->template_desc->name, namelen); |
... | ... | @@ -160,6 +160,8 @@ |
160 | 160 | |
161 | 161 | if (is_ima_template && strcmp(field->field_id, "d") == 0) |
162 | 162 | show = IMA_SHOW_BINARY_NO_FIELD_LEN; |
163 | + if (is_ima_template && strcmp(field->field_id, "n") == 0) | |
164 | + show = IMA_SHOW_BINARY_OLD_STRING_FMT; | |
163 | 165 | field->field_show(m, show, &e->template_data[i]); |
164 | 166 | } |
165 | 167 | return 0; |
... | ... | @@ -290,7 +292,7 @@ |
290 | 292 | /* |
291 | 293 | * ima_open_policy: sequentialize access to the policy file |
292 | 294 | */ |
293 | -static int ima_open_policy(struct inode * inode, struct file * filp) | |
295 | +static int ima_open_policy(struct inode *inode, struct file *filp) | |
294 | 296 | { |
295 | 297 | /* No point in being allowed to open it if you aren't going to write */ |
296 | 298 | if (!(filp->f_flags & O_WRONLY)) |
security/integrity/ima/ima_init.c
... | ... | @@ -14,6 +14,9 @@ |
14 | 14 | * File: ima_init.c |
15 | 15 | * initialization and cleanup functions |
16 | 16 | */ |
17 | + | |
18 | +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
19 | + | |
17 | 20 | #include <linux/module.h> |
18 | 21 | #include <linux/scatterlist.h> |
19 | 22 | #include <linux/slab.h> |
20 | 23 | |
... | ... | @@ -42,10 +45,10 @@ |
42 | 45 | */ |
43 | 46 | static void __init ima_add_boot_aggregate(void) |
44 | 47 | { |
48 | + static const char op[] = "add_boot_aggregate"; | |
49 | + const char *audit_cause = "ENOMEM"; | |
45 | 50 | struct ima_template_entry *entry; |
46 | 51 | struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; |
47 | - const char *op = "add_boot_aggregate"; | |
48 | - const char *audit_cause = "ENOMEM"; | |
49 | 52 | int result = -ENOMEM; |
50 | 53 | int violation = 0; |
51 | 54 | struct { |
... | ... | @@ -93,7 +96,7 @@ |
93 | 96 | ima_used_chip = 1; |
94 | 97 | |
95 | 98 | if (!ima_used_chip) |
96 | - pr_info("IMA: No TPM chip found, activating TPM-bypass!\n"); | |
99 | + pr_info("No TPM chip found, activating TPM-bypass!\n"); | |
97 | 100 | |
98 | 101 | rc = ima_init_crypto(); |
99 | 102 | if (rc) |
security/integrity/ima/ima_main.c
... | ... | @@ -71,15 +71,14 @@ |
71 | 71 | * ima_rdwr_violation_check |
72 | 72 | * |
73 | 73 | * Only invalidate the PCR for measured files: |
74 | - * - Opening a file for write when already open for read, | |
74 | + * - Opening a file for write when already open for read, | |
75 | 75 | * results in a time of measure, time of use (ToMToU) error. |
76 | 76 | * - Opening a file for read when already open for write, |
77 | - * could result in a file measurement error. | |
77 | + * could result in a file measurement error. | |
78 | 78 | * |
79 | 79 | */ |
80 | 80 | static void ima_rdwr_violation_check(struct file *file) |
81 | 81 | { |
82 | - struct dentry *dentry = file->f_path.dentry; | |
83 | 82 | struct inode *inode = file_inode(file); |
84 | 83 | fmode_t mode = file->f_mode; |
85 | 84 | int must_measure; |
... | ... | @@ -111,8 +110,6 @@ |
111 | 110 | return; |
112 | 111 | |
113 | 112 | pathname = ima_d_path(&file->f_path, &pathbuf); |
114 | - if (!pathname || strlen(pathname) > IMA_EVENT_NAME_LEN_MAX) | |
115 | - pathname = dentry->d_name.name; | |
116 | 113 | |
117 | 114 | if (send_tomtou) |
118 | 115 | ima_add_violation(file, pathname, "invalid_pcr", "ToMToU"); |
... | ... | @@ -220,9 +217,7 @@ |
220 | 217 | if (rc != 0) |
221 | 218 | goto out_digsig; |
222 | 219 | |
223 | - pathname = !filename ? ima_d_path(&file->f_path, &pathbuf) : filename; | |
224 | - if (!pathname) | |
225 | - pathname = (const char *)file->f_dentry->d_name.name; | |
220 | + pathname = filename ?: ima_d_path(&file->f_path, &pathbuf); | |
226 | 221 | |
227 | 222 | if (action & IMA_MEASURE) |
228 | 223 | ima_store_measurement(iint, file, pathname, |
security/integrity/ima/ima_policy.c
... | ... | @@ -7,7 +7,7 @@ |
7 | 7 | * the Free Software Foundation, version 2 of the License. |
8 | 8 | * |
9 | 9 | * ima_policy.c |
10 | - * - initialize default measure policy rules | |
10 | + * - initialize default measure policy rules | |
11 | 11 | * |
12 | 12 | */ |
13 | 13 | #include <linux/module.h> |
... | ... | @@ -21,8 +21,8 @@ |
21 | 21 | #include "ima.h" |
22 | 22 | |
23 | 23 | /* flags definitions */ |
24 | -#define IMA_FUNC 0x0001 | |
25 | -#define IMA_MASK 0x0002 | |
24 | +#define IMA_FUNC 0x0001 | |
25 | +#define IMA_MASK 0x0002 | |
26 | 26 | #define IMA_FSMAGIC 0x0004 |
27 | 27 | #define IMA_UID 0x0008 |
28 | 28 | #define IMA_FOWNER 0x0010 |
29 | 29 | |
30 | 30 | |
31 | 31 | |
32 | 32 | |
... | ... | @@ -69,35 +69,35 @@ |
69 | 69 | * and running executables. |
70 | 70 | */ |
71 | 71 | static struct ima_rule_entry default_rules[] = { |
72 | - {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC}, | |
73 | - {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, | |
74 | - {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, | |
75 | - {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, | |
76 | - {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC}, | |
77 | - {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC}, | |
78 | - {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, | |
79 | - {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC}, | |
80 | - {.action = MEASURE,.func = MMAP_CHECK,.mask = MAY_EXEC, | |
72 | + {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, | |
73 | + {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, | |
74 | + {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, | |
75 | + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, | |
76 | + {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, | |
77 | + {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, | |
78 | + {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, | |
79 | + {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, | |
80 | + {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, | |
81 | 81 | .flags = IMA_FUNC | IMA_MASK}, |
82 | - {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, | |
82 | + {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, | |
83 | 83 | .flags = IMA_FUNC | IMA_MASK}, |
84 | - {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID, | |
84 | + {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID, | |
85 | 85 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, |
86 | - {.action = MEASURE,.func = MODULE_CHECK, .flags = IMA_FUNC}, | |
86 | + {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, | |
87 | 87 | }; |
88 | 88 | |
89 | 89 | static struct ima_rule_entry default_appraise_rules[] = { |
90 | - {.action = DONT_APPRAISE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC}, | |
91 | - {.action = DONT_APPRAISE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, | |
92 | - {.action = DONT_APPRAISE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, | |
93 | - {.action = DONT_APPRAISE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, | |
94 | - {.action = DONT_APPRAISE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC}, | |
95 | - {.action = DONT_APPRAISE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC}, | |
96 | - {.action = DONT_APPRAISE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC}, | |
97 | - {.action = DONT_APPRAISE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, | |
98 | - {.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC}, | |
99 | - {.action = DONT_APPRAISE,.fsmagic = CGROUP_SUPER_MAGIC,.flags = IMA_FSMAGIC}, | |
100 | - {.action = APPRAISE,.fowner = GLOBAL_ROOT_UID,.flags = IMA_FOWNER}, | |
90 | + {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, | |
91 | + {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, | |
92 | + {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, | |
93 | + {.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, | |
94 | + {.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC}, | |
95 | + {.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, | |
96 | + {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, | |
97 | + {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, | |
98 | + {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, | |
99 | + {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, | |
100 | + {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER}, | |
101 | 101 | }; |
102 | 102 | |
103 | 103 | static LIST_HEAD(ima_default_rules); |
104 | 104 | |
... | ... | @@ -122,12 +122,12 @@ |
122 | 122 | } |
123 | 123 | __setup("ima_appraise_tcb", default_appraise_policy_setup); |
124 | 124 | |
125 | -/* | |
125 | +/* | |
126 | 126 | * Although the IMA policy does not change, the LSM policy can be |
127 | 127 | * reloaded, leaving the IMA LSM based rules referring to the old, |
128 | 128 | * stale LSM policy. |
129 | 129 | * |
130 | - * Update the IMA LSM based rules to reflect the reloaded LSM policy. | |
130 | + * Update the IMA LSM based rules to reflect the reloaded LSM policy. | |
131 | 131 | * We assume the rules still exist; and BUG_ON() if they don't. |
132 | 132 | */ |
133 | 133 | static void ima_lsm_update_rules(void) |
134 | 134 | |
... | ... | @@ -167,9 +167,11 @@ |
167 | 167 | const struct cred *cred = current_cred(); |
168 | 168 | int i; |
169 | 169 | |
170 | - if ((rule->flags & IMA_FUNC) && rule->func != func) | |
170 | + if ((rule->flags & IMA_FUNC) && | |
171 | + (rule->func != func && func != POST_SETATTR)) | |
171 | 172 | return false; |
172 | - if ((rule->flags & IMA_MASK) && rule->mask != mask) | |
173 | + if ((rule->flags & IMA_MASK) && | |
174 | + (rule->mask != mask && func != POST_SETATTR)) | |
173 | 175 | return false; |
174 | 176 | if ((rule->flags & IMA_FSMAGIC) |
175 | 177 | && rule->fsmagic != inode->i_sb->s_magic) |
... | ... | @@ -216,7 +218,7 @@ |
216 | 218 | retried = 1; |
217 | 219 | ima_lsm_update_rules(); |
218 | 220 | goto retry; |
219 | - } | |
221 | + } | |
220 | 222 | if (!rc) |
221 | 223 | return false; |
222 | 224 | } |
... | ... | @@ -232,7 +234,7 @@ |
232 | 234 | if (!(rule->flags & IMA_FUNC)) |
233 | 235 | return IMA_FILE_APPRAISE; |
234 | 236 | |
235 | - switch(func) { | |
237 | + switch (func) { | |
236 | 238 | case MMAP_CHECK: |
237 | 239 | return IMA_MMAP_APPRAISE; |
238 | 240 | case BPRM_CHECK: |
... | ... | @@ -304,7 +306,7 @@ |
304 | 306 | measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0; |
305 | 307 | appraise_entries = ima_use_appraise_tcb ? |
306 | 308 | ARRAY_SIZE(default_appraise_rules) : 0; |
307 | - | |
309 | + | |
308 | 310 | for (i = 0; i < measure_entries + appraise_entries; i++) { |
309 | 311 | if (i < measure_entries) |
310 | 312 | list_add_tail(&default_rules[i].list, |
... | ... | @@ -329,7 +331,7 @@ |
329 | 331 | */ |
330 | 332 | void ima_update_policy(void) |
331 | 333 | { |
332 | - const char *op = "policy_update"; | |
334 | + static const char op[] = "policy_update"; | |
333 | 335 | const char *cause = "already exists"; |
334 | 336 | int result = 1; |
335 | 337 | int audit_info = 0; |
... | ... | @@ -520,8 +522,7 @@ |
520 | 522 | break; |
521 | 523 | } |
522 | 524 | |
523 | - result = kstrtoul(args[0].from, 16, | |
524 | - &entry->fsmagic); | |
525 | + result = kstrtoul(args[0].from, 16, &entry->fsmagic); | |
525 | 526 | if (!result) |
526 | 527 | entry->flags |= IMA_FSMAGIC; |
527 | 528 | break; |
... | ... | @@ -645,7 +646,7 @@ |
645 | 646 | */ |
646 | 647 | ssize_t ima_parse_add_rule(char *rule) |
647 | 648 | { |
648 | - const char *op = "update_policy"; | |
649 | + static const char op[] = "update_policy"; | |
649 | 650 | char *p; |
650 | 651 | struct ima_rule_entry *entry; |
651 | 652 | ssize_t result, len; |
security/integrity/ima/ima_queue.c
... | ... | @@ -18,6 +18,9 @@ |
18 | 18 | * The measurement list is append-only. No entry is |
19 | 19 | * ever removed or changed during the boot-cycle. |
20 | 20 | */ |
21 | + | |
22 | +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
23 | + | |
21 | 24 | #include <linux/module.h> |
22 | 25 | #include <linux/rculist.h> |
23 | 26 | #include <linux/slab.h> |
... | ... | @@ -72,7 +75,7 @@ |
72 | 75 | |
73 | 76 | qe = kmalloc(sizeof(*qe), GFP_KERNEL); |
74 | 77 | if (qe == NULL) { |
75 | - pr_err("IMA: OUT OF MEMORY ERROR creating queue entry.\n"); | |
78 | + pr_err("OUT OF MEMORY ERROR creating queue entry\n"); | |
76 | 79 | return -ENOMEM; |
77 | 80 | } |
78 | 81 | qe->entry = entry; |
... | ... | @@ -95,8 +98,7 @@ |
95 | 98 | |
96 | 99 | result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash); |
97 | 100 | if (result != 0) |
98 | - pr_err("IMA: Error Communicating to TPM chip, result: %d\n", | |
99 | - result); | |
101 | + pr_err("Error Communicating to TPM chip, result: %d\n", result); | |
100 | 102 | return result; |
101 | 103 | } |
102 | 104 | |
... | ... | @@ -115,7 +117,7 @@ |
115 | 117 | |
116 | 118 | mutex_lock(&ima_extend_list_mutex); |
117 | 119 | if (!violation) { |
118 | - memcpy(digest, entry->digest, sizeof digest); | |
120 | + memcpy(digest, entry->digest, sizeof(digest)); | |
119 | 121 | if (ima_lookup_digest_entry(digest)) { |
120 | 122 | audit_cause = "hash_exists"; |
121 | 123 | result = -EEXIST; |
... | ... | @@ -131,7 +133,7 @@ |
131 | 133 | } |
132 | 134 | |
133 | 135 | if (violation) /* invalidate pcr */ |
134 | - memset(digest, 0xff, sizeof digest); | |
136 | + memset(digest, 0xff, sizeof(digest)); | |
135 | 137 | |
136 | 138 | tpmresult = ima_pcr_extend(digest); |
137 | 139 | if (tpmresult != 0) { |
security/integrity/ima/ima_template.c
... | ... | @@ -12,6 +12,9 @@ |
12 | 12 | * File: ima_template.c |
13 | 13 | * Helpers to manage template descriptors. |
14 | 14 | */ |
15 | + | |
16 | +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
17 | + | |
15 | 18 | #include <crypto/hash_info.h> |
16 | 19 | |
17 | 20 | #include "ima.h" |
18 | 21 | |
19 | 22 | |
20 | 23 | |
21 | 24 | |
22 | 25 | |
... | ... | @@ -19,20 +22,20 @@ |
19 | 22 | |
20 | 23 | static struct ima_template_desc defined_templates[] = { |
21 | 24 | {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, |
22 | - {.name = "ima-ng",.fmt = "d-ng|n-ng"}, | |
23 | - {.name = "ima-sig",.fmt = "d-ng|n-ng|sig"}, | |
25 | + {.name = "ima-ng", .fmt = "d-ng|n-ng"}, | |
26 | + {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, | |
24 | 27 | }; |
25 | 28 | |
26 | 29 | static struct ima_template_field supported_fields[] = { |
27 | - {.field_id = "d",.field_init = ima_eventdigest_init, | |
30 | + {.field_id = "d", .field_init = ima_eventdigest_init, | |
28 | 31 | .field_show = ima_show_template_digest}, |
29 | - {.field_id = "n",.field_init = ima_eventname_init, | |
32 | + {.field_id = "n", .field_init = ima_eventname_init, | |
30 | 33 | .field_show = ima_show_template_string}, |
31 | - {.field_id = "d-ng",.field_init = ima_eventdigest_ng_init, | |
34 | + {.field_id = "d-ng", .field_init = ima_eventdigest_ng_init, | |
32 | 35 | .field_show = ima_show_template_digest_ng}, |
33 | - {.field_id = "n-ng",.field_init = ima_eventname_ng_init, | |
36 | + {.field_id = "n-ng", .field_init = ima_eventname_ng_init, | |
34 | 37 | .field_show = ima_show_template_string}, |
35 | - {.field_id = "sig",.field_init = ima_eventsig_init, | |
38 | + {.field_id = "sig", .field_init = ima_eventsig_init, | |
36 | 39 | .field_show = ima_show_template_sig}, |
37 | 40 | }; |
38 | 41 | |
... | ... | @@ -58,7 +61,7 @@ |
58 | 61 | */ |
59 | 62 | if (template_len == 3 && strcmp(str, IMA_TEMPLATE_IMA_NAME) == 0 && |
60 | 63 | ima_hash_algo != HASH_ALGO_SHA1 && ima_hash_algo != HASH_ALGO_MD5) { |
61 | - pr_err("IMA: template does not support hash alg\n"); | |
64 | + pr_err("template does not support hash alg\n"); | |
62 | 65 | return 1; |
63 | 66 | } |
64 | 67 |
security/integrity/ima/ima_template_lib.c
... | ... | @@ -27,7 +27,6 @@ |
27 | 27 | enum data_formats { |
28 | 28 | DATA_FMT_DIGEST = 0, |
29 | 29 | DATA_FMT_DIGEST_WITH_ALGO, |
30 | - DATA_FMT_EVENT_NAME, | |
31 | 30 | DATA_FMT_STRING, |
32 | 31 | DATA_FMT_HEX |
33 | 32 | }; |
34 | 33 | |
35 | 34 | |
... | ... | @@ -37,18 +36,10 @@ |
37 | 36 | struct ima_field_data *field_data) |
38 | 37 | { |
39 | 38 | u8 *buf, *buf_ptr; |
40 | - u32 buflen; | |
39 | + u32 buflen = datalen; | |
41 | 40 | |
42 | - switch (datafmt) { | |
43 | - case DATA_FMT_EVENT_NAME: | |
44 | - buflen = IMA_EVENT_NAME_LEN_MAX + 1; | |
45 | - break; | |
46 | - case DATA_FMT_STRING: | |
41 | + if (datafmt == DATA_FMT_STRING) | |
47 | 42 | buflen = datalen + 1; |
48 | - break; | |
49 | - default: | |
50 | - buflen = datalen; | |
51 | - } | |
52 | 43 | |
53 | 44 | buf = kzalloc(buflen, GFP_KERNEL); |
54 | 45 | if (!buf) |
... | ... | @@ -63,7 +54,7 @@ |
63 | 54 | * split into multiple template fields (the space is the delimitator |
64 | 55 | * character for measurements lists in ASCII format). |
65 | 56 | */ |
66 | - if (datafmt == DATA_FMT_EVENT_NAME || datafmt == DATA_FMT_STRING) { | |
57 | + if (datafmt == DATA_FMT_STRING) { | |
67 | 58 | for (buf_ptr = buf; buf_ptr - buf < datalen; buf_ptr++) |
68 | 59 | if (*buf_ptr == ' ') |
69 | 60 | *buf_ptr = '_'; |
70 | 61 | |
71 | 62 | |
72 | 63 | |
... | ... | @@ -109,13 +100,16 @@ |
109 | 100 | enum data_formats datafmt, |
110 | 101 | struct ima_field_data *field_data) |
111 | 102 | { |
103 | + u32 len = (show == IMA_SHOW_BINARY_OLD_STRING_FMT) ? | |
104 | + strlen(field_data->data) : field_data->len; | |
105 | + | |
112 | 106 | if (show != IMA_SHOW_BINARY_NO_FIELD_LEN) |
113 | - ima_putc(m, &field_data->len, sizeof(u32)); | |
107 | + ima_putc(m, &len, sizeof(len)); | |
114 | 108 | |
115 | - if (!field_data->len) | |
109 | + if (!len) | |
116 | 110 | return; |
117 | 111 | |
118 | - ima_putc(m, field_data->data, field_data->len); | |
112 | + ima_putc(m, field_data->data, len); | |
119 | 113 | } |
120 | 114 | |
121 | 115 | static void ima_show_template_field_data(struct seq_file *m, |
... | ... | @@ -129,6 +123,7 @@ |
129 | 123 | break; |
130 | 124 | case IMA_SHOW_BINARY: |
131 | 125 | case IMA_SHOW_BINARY_NO_FIELD_LEN: |
126 | + case IMA_SHOW_BINARY_OLD_STRING_FMT: | |
132 | 127 | ima_show_template_data_binary(m, show, datafmt, field_data); |
133 | 128 | break; |
134 | 129 | default: |
... | ... | @@ -277,8 +272,6 @@ |
277 | 272 | { |
278 | 273 | const char *cur_filename = NULL; |
279 | 274 | u32 cur_filename_len = 0; |
280 | - enum data_formats fmt = size_limit ? | |
281 | - DATA_FMT_EVENT_NAME : DATA_FMT_STRING; | |
282 | 275 | |
283 | 276 | BUG_ON(filename == NULL && file == NULL); |
284 | 277 | |
... | ... | @@ -301,7 +294,7 @@ |
301 | 294 | cur_filename_len = IMA_EVENT_NAME_LEN_MAX; |
302 | 295 | out: |
303 | 296 | return ima_write_template_field_data(cur_filename, cur_filename_len, |
304 | - fmt, field_data); | |
297 | + DATA_FMT_STRING, field_data); | |
305 | 298 | } |
306 | 299 | |
307 | 300 | /* |
security/integrity/integrity_audit.c
... | ... | @@ -7,7 +7,7 @@ |
7 | 7 | * the Free Software Foundation, version 2 of the License. |
8 | 8 | * |
9 | 9 | * File: integrity_audit.c |
10 | - * Audit calls for the integrity subsystem | |
10 | + * Audit calls for the integrity subsystem | |
11 | 11 | */ |
12 | 12 | |
13 | 13 | #include <linux/fs.h> |
... | ... | @@ -33,6 +33,7 @@ |
33 | 33 | const char *cause, int result, int audit_info) |
34 | 34 | { |
35 | 35 | struct audit_buffer *ab; |
36 | + char name[TASK_COMM_LEN]; | |
36 | 37 | |
37 | 38 | if (!integrity_audit_info && audit_info == 1) /* Skip info messages */ |
38 | 39 | return; |
... | ... | @@ -49,7 +50,7 @@ |
49 | 50 | audit_log_format(ab, " cause="); |
50 | 51 | audit_log_string(ab, cause); |
51 | 52 | audit_log_format(ab, " comm="); |
52 | - audit_log_untrustedstring(ab, current->comm); | |
53 | + audit_log_untrustedstring(ab, get_task_comm(name, current)); | |
53 | 54 | if (fname) { |
54 | 55 | audit_log_format(ab, " name="); |
55 | 56 | audit_log_untrustedstring(ab, fname); |