ima: directory integrity protection implementation

This patch provides implmentation of directory integrity protection hooks.

This patch implements ima_dir_check() and ima_dir_update() hooks.

ima_dir_check() verifies the directory integrity during the initial path
lookup, when the dentry is just being created and may block. It allocates
the needed data structures and performs the integrity verification.
The results of which are cached. Subsequent calls mostly happen under
RCU locking, when the code may not block, and returns immediately with
the cached verification status. So ima_dir_check() does not interrupt
RCU path walk.

Directory hash is a hash over the list of directory entries, that includes
name, ino and d_type. ima_dir_check() caclculates a directory hash and compaires
it against good reference value stored in 'security.ima' extended attribute.

ima_dir_update() is called when directory content is changing, and updates
the directory hash.

Signed-off-by: Dmitry Kasatkin <>
5 files changed