Commit b6f8f16f41d92861621b043389ef49de1c52d613
Committed by
Mimi Zohar
1 parent
4c1cc40a2d
Exists in
master
and in
16 other branches
ima: do not include field length in template digest calc for ima template
To maintain compatibility with userspace tools, the field length must not be included in the template digest calculation for the 'ima' template. Fixes commit: a71dc65 ima: switch to new template management mechanism Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Showing 3 changed files with 15 additions and 6 deletions Side-by-side Diff
security/integrity/ima/ima.h
... | ... | @@ -97,7 +97,8 @@ |
97 | 97 | const char *op, struct inode *inode, |
98 | 98 | const unsigned char *filename); |
99 | 99 | int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); |
100 | -int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields, | |
100 | +int ima_calc_field_array_hash(struct ima_field_data *field_data, | |
101 | + struct ima_template_desc *desc, int num_fields, | |
101 | 102 | struct ima_digest_data *hash); |
102 | 103 | int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); |
103 | 104 | void ima_add_violation(struct file *file, const unsigned char *filename, |
security/integrity/ima/ima_api.c
... | ... | @@ -94,6 +94,7 @@ |
94 | 94 | /* this function uses default algo */ |
95 | 95 | hash.hdr.algo = HASH_ALGO_SHA1; |
96 | 96 | result = ima_calc_field_array_hash(&entry->template_data[0], |
97 | + entry->template_desc, | |
97 | 98 | num_fields, &hash.hdr); |
98 | 99 | if (result < 0) { |
99 | 100 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, |
security/integrity/ima/ima_crypto.c
... | ... | @@ -140,6 +140,7 @@ |
140 | 140 | * Calculate the hash of template data |
141 | 141 | */ |
142 | 142 | static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, |
143 | + struct ima_template_desc *td, | |
143 | 144 | int num_fields, |
144 | 145 | struct ima_digest_data *hash, |
145 | 146 | struct crypto_shash *tfm) |
... | ... | @@ -160,9 +161,13 @@ |
160 | 161 | return rc; |
161 | 162 | |
162 | 163 | for (i = 0; i < num_fields; i++) { |
163 | - rc = crypto_shash_update(&desc.shash, | |
164 | - (const u8 *) &field_data[i].len, | |
165 | - sizeof(field_data[i].len)); | |
164 | + if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) { | |
165 | + rc = crypto_shash_update(&desc.shash, | |
166 | + (const u8 *) &field_data[i].len, | |
167 | + sizeof(field_data[i].len)); | |
168 | + if (rc) | |
169 | + break; | |
170 | + } | |
166 | 171 | rc = crypto_shash_update(&desc.shash, field_data[i].data, |
167 | 172 | field_data[i].len); |
168 | 173 | if (rc) |
... | ... | @@ -175,7 +180,8 @@ |
175 | 180 | return rc; |
176 | 181 | } |
177 | 182 | |
178 | -int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields, | |
183 | +int ima_calc_field_array_hash(struct ima_field_data *field_data, | |
184 | + struct ima_template_desc *desc, int num_fields, | |
179 | 185 | struct ima_digest_data *hash) |
180 | 186 | { |
181 | 187 | struct crypto_shash *tfm; |
... | ... | @@ -185,7 +191,8 @@ |
185 | 191 | if (IS_ERR(tfm)) |
186 | 192 | return PTR_ERR(tfm); |
187 | 193 | |
188 | - rc = ima_calc_field_array_hash_tfm(field_data, num_fields, hash, tfm); | |
194 | + rc = ima_calc_field_array_hash_tfm(field_data, desc, num_fields, | |
195 | + hash, tfm); | |
189 | 196 | |
190 | 197 | ima_free_tfm(tfm); |
191 | 198 |