Merge tag 'integrity-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar...

[linux-block.git] / security / integrity / ima / ima_policy.c

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 40c0769238e637294196e5dbc132fe4a09041bf7..3ca8b7348c2e45ffc3cc607f8d4237ab50d8fc9c 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -552,7 +552,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
 /**
  * ima_match_rules - determine whether an inode matches the policy rule.
  * @rule: a pointer to a rule
- * @mnt_userns:        user namespace of the mount the inode was found from
+ * @idmap: idmap of the mount the inode was found from
  * @inode: a pointer to an inode
  * @cred: a pointer to a credentials structure for user validation
  * @secid: the secid of the task to be validated
@@ -563,7 +563,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
  * Returns true on rule match, false on failure.
  */
 static bool ima_match_rules(struct ima_rule_entry *rule,
-                           struct user_namespace *mnt_userns,
+                           struct mnt_idmap *idmap,
                            struct inode *inode, const struct cred *cred,
                            u32 secid, enum ima_hooks func, int mask,
                            const char *func_data)
@@ -624,11 +624,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
                        return false;
        }
        if ((rule->flags & IMA_FOWNER) &&
-           !rule->fowner_op(i_uid_into_vfsuid(mnt_userns, inode),
+           !rule->fowner_op(i_uid_into_vfsuid(idmap, inode),
                             rule->fowner))
                return false;
        if ((rule->flags & IMA_FGROUP) &&
-           !rule->fgroup_op(i_gid_into_vfsgid(mnt_userns, inode),
+           !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode),
                             rule->fgroup))
                return false;
        for (i = 0; i < MAX_LSM_RULES; i++) {
@@ -714,7 +714,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 
 /**
  * ima_match_policy - decision based on LSM and other conditions
- * @mnt_userns:        user namespace of the mount the inode was found from
+ * @idmap: idmap of the mount the inode was found from
  * @inode: pointer to an inode for which the policy decision is being made
  * @cred: pointer to a credentials structure for which the policy decision is
  *        being made
@@ -733,7 +733,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
  * list when walking it.  Reads are many orders of magnitude more numerous
  * than writes so ima_match_policy() is classical RCU candidate.
  */
-int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
+int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
                     const struct cred *cred, u32 secid, enum ima_hooks func,
                     int mask, int flags, int *pcr,
                     struct ima_template_desc **template_desc,
@@ -753,7 +753,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
                if (!(entry->action & actmask))
                        continue;
 
-               if (!ima_match_rules(entry, mnt_userns, inode, cred, secid,
+               if (!ima_match_rules(entry, idmap, inode, cred, secid,
                                     func, mask, func_data))
                        continue;