Merge tag 'integrity-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

			lsm:	[[subj_user=] [subj_role=] [subj_type=]

				 [obj_user=] [obj_role=] [obj_type=]]

			option:	[[appraise_type=]] [template=] [permit_directio]

				[appraise_flag=] [keyrings=]

				[appraise_flag=] [appraise_algos=] [keyrings=]

		  base:

			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]

				[FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]

				[SETXATTR_CHECK]

			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]

			       [[^]MAY_EXEC]

			fsmagic:= hex value

			label:= [selinux]|[kernel_info]|[data_label]

			data_label:= a unique string used for grouping and limiting critical data.

			For example, "selinux" to measure critical data for SELinux.

			appraise_algos:= comma-separated list of hash algorithms

			For example, "sha256,sha512" to only accept to appraise

			files where the security.ima xattr was hashed with one

			of these two algorithms.

		  default policy:

			# PROC_SUPER_MAGIC

		keys added to .builtin_trusted_keys or .ima keyring:

			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima

		Example of the special SETXATTR_CHECK appraise rule, that

		restricts the hash algorithms allowed when writing to the

		security.ima xattr of a file:

			appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512

	if (noio)

		noio_flag = memalloc_noio_save();

	ima_measure_critical_data(DM_NAME, event_name, buf, buf_len, false);

	ima_measure_critical_data(DM_NAME, event_name, buf, buf_len,

				  false, NULL, 0);

	if (noio)

		memalloc_noio_restore(noio_flag);

#include <linux/fs.h>

#include <linux/security.h>

#include <linux/kexec.h>

#include <crypto/hash_info.h>

struct linux_binprm;

#ifdef CONFIG_IMA

extern enum hash_algo ima_get_current_hash_algo(void);

extern int ima_bprm_check(struct linux_binprm *bprm);

extern int ima_file_check(struct file *file, int mask);

extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,

extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);

extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size);

extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);

extern void ima_measure_critical_data(const char *event_label,

extern int ima_measure_critical_data(const char *event_label,

				     const char *event_name,

				     const void *buf, size_t buf_len,

				      bool hash);

				     bool hash, u8 *digest, size_t digest_len);

#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM

extern void ima_appraise_parse_cmdline(void);

#endif

#else

static inline enum hash_algo ima_get_current_hash_algo(void)

{

	return HASH_ALGO__LAST;

}

static inline int ima_bprm_check(struct linux_binprm *bprm)

{

	return 0;

static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {}

static inline void ima_measure_critical_data(const char *event_label,

static inline int ima_measure_critical_data(const char *event_label,

					     const char *event_name,

					     const void *buf, size_t buf_len,

					     bool hash) {}

					     bool hash, u8 *digest,

					     size_t digest_len)

{

	return -ENOENT;

}

#endif /* CONFIG_IMA */

	select SECURITYFS

	select CRYPTO

	select CRYPTO_HMAC

	select CRYPTO_MD5

	select CRYPTO_SHA1

	select CRYPTO_HASH_INFO

	select TCG_TPM if HAS_IOMEM && !UML

/* current content of the policy */

extern int ima_policy_flag;

/* bitset of digests algorithms allowed in the setxattr hook */

extern atomic_t ima_setxattr_allowed_hash_algorithms;

/* set during initialization */

extern int ima_hash_algo;

extern int ima_hash_algo __ro_after_init;

extern int ima_sha1_idx __ro_after_init;

extern int ima_hash_algo_idx __ro_after_init;

extern int ima_extra_slots __ro_after_init;

	hook(KEXEC_CMDLINE, kexec_cmdline)		\

	hook(KEY_CHECK, key)				\

	hook(CRITICAL_DATA, critical_data)		\

	hook(SETXATTR_CHECK, setxattr_check)		\

	hook(MAX_CHECK, none)

#define __ima_hook_enumify(ENUM, str)	ENUM,

		   const struct cred *cred, u32 secid, int mask,

		   enum ima_hooks func, int *pcr,

		   struct ima_template_desc **template_desc,

		   const char *func_data);

		   const char *func_data, unsigned int *allowed_algos);

int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);

int ima_collect_measurement(struct integrity_iint_cache *iint,

			    struct file *file, void *buf, loff_t size,

			   struct evm_ima_xattr_data *xattr_value,

			   int xattr_len, const struct modsig *modsig, int pcr,

			   struct ima_template_desc *template_desc);

void process_buffer_measurement(struct user_namespace *mnt_userns,

int process_buffer_measurement(struct user_namespace *mnt_userns,

			       struct inode *inode, const void *buf, int size,

			       const char *eventname, enum ima_hooks func,

			       int pcr, const char *func_data,

				bool buf_hash);

			       bool buf_hash, u8 *digest, size_t digest_len);

void ima_audit_measurement(struct integrity_iint_cache *iint,

			   const unsigned char *filename);

int ima_alloc_init_template(struct ima_event_data *event_data,

		     const struct cred *cred, u32 secid, enum ima_hooks func,

		     int mask, int flags, int *pcr,

		     struct ima_template_desc **template_desc,

		     const char *func_data);

		     const char *func_data, unsigned int *allowed_algos);

void ima_init_policy(void);

void ima_update_policy(void);

void ima_update_policy_flag(void);

void ima_update_policy_flags(void);

ssize_t ima_parse_add_rule(char *);

void ima_delete_rules(void);

int ima_check_policy(void);

void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);

enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,

					   enum ima_hooks func);

enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,

enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,

				 int xattr_len);

int ima_read_xattr(struct dentry *dentry,

		   struct evm_ima_xattr_data **xattr_value);