tree 341c0f3d861fbdd1810955ec3ff3926c729c680d
parent cdf739d12341e176071026f32fc945fd9e149919
author Dmitry Kasatkin <d.kasatkin@samsung.com> 1384802885 +0200
committer Dmitry Kasatkin <d.kasatkin@samsung.com> 1412159456 +0300

ima: directory integrity protection implementation

This patch provides implmentation of directory integrity protection hooks.

This patch implements ima_dir_check() and ima_dir_update() hooks.

ima_dir_check() verifies the directory integrity during the initial path
lookup, when the dentry is just being created and may block. It allocates
the needed data structures and performs the integrity verification.
The results of which are cached. Subsequent calls mostly happen under
RCU locking, when the code may not block, and returns immediately with
the cached verification status. So ima_dir_check() does not interrupt
RCU path walk.

Directory hash is a hash over the list of directory entries, that includes
name, ino and d_type. ima_dir_check() caclculates a directory hash and compaires
it against good reference value stored in 'security.ima' extended attribute.

ima_dir_update() is called when directory content is changing, and updates
the directory hash.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>