integrity: move integrity_audit_msg()

This patch moves the integrity_audit_msg() function and defintion to
security/integrity/, the parent directory, renames the 'ima_audit'
boot command line option to 'integrity_audit', and fixes the Kconfig
help text to reflect the actual code.

Changelog:
- Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu)

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index c3bfacb..cb5daa1 100644 (file)
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1129,11 +1129,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
                        The builtin appraise policy appraises all files
                        owned by uid=0.
 
-       ima_audit=      [IMA]
-                       Format: { "0" | "1" }
-                       0 -- integrity auditing messages. (Default)
-                       1 -- enable informational integrity auditing messages.
-
        ima_hash=       [IMA]
                        Format: { "sha1" | "md5" }
                        default: "sha1"
@@ -1158,6 +1153,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
        inport.irq=     [HW] Inport (ATI XL and Microsoft) busmouse driver
                        Format: <irq>
 
+       integrity_audit=[IMA]
+                       Format: { "0" | "1" }
+                       0 -- basic integrity auditing messages. (Default)
+                       1 -- additional integrity auditing messages.
+
        intel_iommu=    [DMAR] Intel IOMMU driver (DMAR) option
                on
                        Enable intel iommu driver.

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 4bb3a77..245c6d9 100644 (file)
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -17,6 +17,21 @@ config INTEGRITY_SIGNATURE
          This is useful for evm and module keyrings, when keys are
          usually only added from initramfs.
 
+config INTEGRITY_AUDIT
+       bool "Enables integrity auditing support "
+       depends on INTEGRITY && AUDIT
+       default y
+       help
+         In addition to enabling integrity auditing support, this
+         option adds a kernel parameter 'integrity_audit', which
+         controls the level of integrity auditing messages.
+         0 - basic integrity auditing messages (default)
+         1 - additional integrity auditing messages
+
+         Additional informational integrity auditing messages would
+         be enabled by specifying 'integrity_audit=1' on the kernel
+         command line.
+
 config INTEGRITY_ASYMMETRIC_KEYS
        boolean "Enable asymmetric keys support"
        depends on INTEGRITY_SIGNATURE

diff --git a/security/integrity/Makefile b/security/integrity/Makefile
index ebb6409..0f9cffb 100644 (file)
--- a/security/integrity/Makefile
+++ b/security/integrity/Makefile
@@ -3,6 +3,7 @@
 #
 
 obj-$(CONFIG_INTEGRITY) += integrity.o
+obj-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
 obj-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
 obj-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
 

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index d232c73..39196ab 100644 (file)
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -38,18 +38,6 @@ config IMA_MEASURE_PCR_IDX
          that IMA uses to maintain the integrity aggregate of the
          measurement list.  If unsure, use the default 10.
 
-config IMA_AUDIT
-       bool "Enables auditing support"
-       depends on IMA
-       depends on AUDIT
-       default y
-       help
-         This option adds a kernel parameter 'ima_audit', which
-         allows informational auditing messages to be enabled
-         at boot.  If this option is selected, informational integrity
-         auditing messages can be enabled with 'ima_audit=1' on
-         the kernel command line.
-
 config IMA_LSM_RULES
        bool
        depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)

diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 3f2ca6b..56dfee7 100644 (file)
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -7,5 +7,4 @@ obj-$(CONFIG_IMA) += ima.o
 
 ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
         ima_policy.o
-ima-$(CONFIG_IMA_AUDIT) += ima_audit.o
 ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index a41c9c1..b3dd616 100644 (file)
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -62,20 +62,6 @@ struct ima_queue_entry {
 };
 extern struct list_head ima_measurements;      /* list of all measurements */
 
-#ifdef CONFIG_IMA_AUDIT
-/* declarations */
-void integrity_audit_msg(int audit_msgno, struct inode *inode,
-                        const unsigned char *fname, const char *op,
-                        const char *cause, int result, int info);
-#else
-static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
-                                      const unsigned char *fname,
-                                      const char *op, const char *cause,
-                                      int result, int info)
-{
-}
-#endif
-
 /* Internal IMA function definitions */
 int ima_init(void);
 void ima_cleanup(void);

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 84c37c4..c42fb7a 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -113,5 +113,19 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig,
 }
 #endif
 
+#ifdef CONFIG_INTEGRITY_AUDIT
+/* declarations */
+void integrity_audit_msg(int audit_msgno, struct inode *inode,
+                        const unsigned char *fname, const char *op,
+                        const char *cause, int result, int info);
+#else
+static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
+                                      const unsigned char *fname,
+                                      const char *op, const char *cause,
+                                      int result, int info)
+{
+}
+#endif
+
 /* set during initialization */
 extern int iint_initialized;

diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/integrity_audit.c
similarity index 85%
rename from security/integrity/ima/ima_audit.c
rename to security/integrity/integrity_audit.c
index c586faa..d7efb30 100644 (file)
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/integrity_audit.c
@@ -13,20 +13,20 @@
 #include <linux/fs.h>
 #include <linux/gfp.h>
 #include <linux/audit.h>
-#include "ima.h"
+#include "integrity.h"
 
-static int ima_audit;
+static int integrity_audit_info;
 
 /* ima_audit_setup - enable informational auditing messages */
-static int __init ima_audit_setup(char *str)
+static int __init integrity_audit_setup(char *str)
 {
        unsigned long audit;
 
        if (!strict_strtoul(str, 0, &audit))
-               ima_audit = audit ? 1 : 0;
+               integrity_audit_info = audit ? 1 : 0;
        return 1;
 }
-__setup("ima_audit=", ima_audit_setup);
+__setup("integrity_audit=", integrity_audit_setup);
 
 void integrity_audit_msg(int audit_msgno, struct inode *inode,
                         const unsigned char *fname, const char *op,
@@ -34,7 +34,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
 {
        struct audit_buffer *ab;
 
-       if (!ima_audit && audit_info == 1) /* Skip informational messages */
+       if (!integrity_audit_info && audit_info == 1)   /* Skip info messages */
                return;
 
        ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);