Commit bcbc9b0cf6d8f340a1d166e414f4612b353f7a9b
1 parent
42a20ba5c9
Exists in
master
and in
16 other branches
ima: extend the measurement list to include the file signature
This patch defines a new template called 'ima-sig', which includes the file signature in the template data, in addition to the file's digest and pathname. A template is composed of a set of fields. Associated with each field is an initialization and display function. This patch defines a new template field called 'sig', the initialization function ima_eventsig_init(), and the display function ima_show_template_sig(). This patch modifies the .field_init() function definition to include the 'security.ima' extended attribute and length. Changelog: - remove unused code (Dmitry Kasatkin) - avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu) - rename DATA_FMT_SIG to DATA_FMT_HEX - cleanup ima_eventsig_init() based on Roberto's comments Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Showing 8 changed files with 73 additions and 12 deletions Side-by-side Diff
security/integrity/ima/Kconfig
| ... | ... | @@ -63,6 +63,8 @@ |
| 63 | 63 | bool "ima" |
| 64 | 64 | config IMA_NG_TEMPLATE |
| 65 | 65 | bool "ima-ng (default)" |
| 66 | + config IMA_SIG_TEMPLATE | |
| 67 | + bool "ima-sig" | |
| 66 | 68 | endchoice |
| 67 | 69 | |
| 68 | 70 | config IMA_DEFAULT_TEMPLATE |
| ... | ... | @@ -70,6 +72,7 @@ |
| 70 | 72 | depends on IMA |
| 71 | 73 | default "ima" if IMA_TEMPLATE |
| 72 | 74 | default "ima-ng" if IMA_NG_TEMPLATE |
| 75 | + default "ima-sig" if IMA_SIG_TEMPLATE | |
| 73 | 76 | |
| 74 | 77 | choice |
| 75 | 78 | prompt "Default integrity hash algorithm" |
security/integrity/ima/ima.h
| ... | ... | @@ -59,7 +59,8 @@ |
| 59 | 59 | const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN]; |
| 60 | 60 | int (*field_init) (struct integrity_iint_cache *iint, struct file *file, |
| 61 | 61 | const unsigned char *filename, |
| 62 | - struct ima_field_data *field_data); | |
| 62 | + struct evm_ima_xattr_data *xattr_value, | |
| 63 | + int xattr_len, struct ima_field_data *field_data); | |
| 63 | 64 | void (*field_show) (struct seq_file *m, enum ima_show_type show, |
| 64 | 65 | struct ima_field_data *field_data); |
| 65 | 66 | }; |
| 66 | 67 | |
| ... | ... | @@ -134,12 +135,15 @@ |
| 134 | 135 | struct evm_ima_xattr_data **xattr_value, |
| 135 | 136 | int *xattr_len); |
| 136 | 137 | void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, |
| 137 | - const unsigned char *filename); | |
| 138 | + const unsigned char *filename, | |
| 139 | + struct evm_ima_xattr_data *xattr_value, | |
| 140 | + int xattr_len); | |
| 138 | 141 | void ima_audit_measurement(struct integrity_iint_cache *iint, |
| 139 | 142 | const unsigned char *filename); |
| 140 | 143 | int ima_alloc_init_template(struct integrity_iint_cache *iint, |
| 141 | 144 | struct file *file, const unsigned char *filename, |
| 142 | - struct ima_template_entry **entry); | |
| 145 | + struct evm_ima_xattr_data *xattr_value, | |
| 146 | + int xattr_len, struct ima_template_entry **entry); | |
| 143 | 147 | int ima_store_template(struct ima_template_entry *entry, int violation, |
| 144 | 148 | struct inode *inode, const unsigned char *filename); |
| 145 | 149 | const char *ima_d_path(struct path *path, char **pathbuf); |
security/integrity/ima/ima_api.c
| ... | ... | @@ -26,7 +26,8 @@ |
| 26 | 26 | */ |
| 27 | 27 | int ima_alloc_init_template(struct integrity_iint_cache *iint, |
| 28 | 28 | struct file *file, const unsigned char *filename, |
| 29 | - struct ima_template_entry **entry) | |
| 29 | + struct evm_ima_xattr_data *xattr_value, | |
| 30 | + int xattr_len, struct ima_template_entry **entry) | |
| 30 | 31 | { |
| 31 | 32 | struct ima_template_desc *template_desc = ima_template_desc_current(); |
| 32 | 33 | int i, result = 0; |
| ... | ... | @@ -41,6 +42,7 @@ |
| 41 | 42 | u32 len; |
| 42 | 43 | |
| 43 | 44 | result = field->field_init(iint, file, filename, |
| 45 | + xattr_value, xattr_len, | |
| 44 | 46 | &((*entry)->template_data[i])); |
| 45 | 47 | if (result != 0) |
| 46 | 48 | goto out; |
| ... | ... | @@ -123,7 +125,8 @@ |
| 123 | 125 | /* can overflow, only indicator */ |
| 124 | 126 | atomic_long_inc(&ima_htable.violations); |
| 125 | 127 | |
| 126 | - result = ima_alloc_init_template(NULL, file, filename, &entry); | |
| 128 | + result = ima_alloc_init_template(NULL, file, filename, | |
| 129 | + NULL, 0, &entry); | |
| 127 | 130 | if (result < 0) { |
| 128 | 131 | result = -ENOMEM; |
| 129 | 132 | goto err_out; |
| ... | ... | @@ -239,7 +242,9 @@ |
| 239 | 242 | * Must be called with iint->mutex held. |
| 240 | 243 | */ |
| 241 | 244 | void ima_store_measurement(struct integrity_iint_cache *iint, |
| 242 | - struct file *file, const unsigned char *filename) | |
| 245 | + struct file *file, const unsigned char *filename, | |
| 246 | + struct evm_ima_xattr_data *xattr_value, | |
| 247 | + int xattr_len) | |
| 243 | 248 | { |
| 244 | 249 | const char *op = "add_template_measure"; |
| 245 | 250 | const char *audit_cause = "ENOMEM"; |
| ... | ... | @@ -251,7 +256,8 @@ |
| 251 | 256 | if (iint->flags & IMA_MEASURED) |
| 252 | 257 | return; |
| 253 | 258 | |
| 254 | - result = ima_alloc_init_template(iint, file, filename, &entry); | |
| 259 | + result = ima_alloc_init_template(iint, file, filename, | |
| 260 | + xattr_value, xattr_len, &entry); | |
| 255 | 261 | if (result < 0) { |
| 256 | 262 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, |
| 257 | 263 | op, audit_cause, result, 0); |
security/integrity/ima/ima_init.c
security/integrity/ima/ima_main.c
| ... | ... | @@ -225,7 +225,8 @@ |
| 225 | 225 | pathname = (const char *)file->f_dentry->d_name.name; |
| 226 | 226 | |
| 227 | 227 | if (action & IMA_MEASURE) |
| 228 | - ima_store_measurement(iint, file, pathname); | |
| 228 | + ima_store_measurement(iint, file, pathname, | |
| 229 | + xattr_value, xattr_len); | |
| 229 | 230 | if (action & IMA_APPRAISE_SUBMASK) |
| 230 | 231 | rc = ima_appraise_measurement(_func, iint, file, pathname, |
| 231 | 232 | xattr_value, xattr_len); |
security/integrity/ima/ima_template.c
| ... | ... | @@ -20,6 +20,7 @@ |
| 20 | 20 | static struct ima_template_desc defined_templates[] = { |
| 21 | 21 | {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, |
| 22 | 22 | {.name = "ima-ng",.fmt = "d-ng|n-ng"}, |
| 23 | + {.name = "ima-sig",.fmt = "d-ng|n-ng|sig"}, | |
| 23 | 24 | }; |
| 24 | 25 | |
| 25 | 26 | static struct ima_template_field supported_fields[] = { |
| ... | ... | @@ -31,6 +32,8 @@ |
| 31 | 32 | .field_show = ima_show_template_digest_ng}, |
| 32 | 33 | {.field_id = "n-ng",.field_init = ima_eventname_ng_init, |
| 33 | 34 | .field_show = ima_show_template_string}, |
| 35 | + {.field_id = "sig",.field_init = ima_eventsig_init, | |
| 36 | + .field_show = ima_show_template_sig}, | |
| 34 | 37 | }; |
| 35 | 38 | |
| 36 | 39 | static struct ima_template_desc *ima_template; |
security/integrity/ima/ima_template_lib.c
| ... | ... | @@ -28,7 +28,8 @@ |
| 28 | 28 | DATA_FMT_DIGEST = 0, |
| 29 | 29 | DATA_FMT_DIGEST_WITH_ALGO, |
| 30 | 30 | DATA_FMT_EVENT_NAME, |
| 31 | - DATA_FMT_STRING | |
| 31 | + DATA_FMT_STRING, | |
| 32 | + DATA_FMT_HEX | |
| 32 | 33 | }; |
| 33 | 34 | |
| 34 | 35 | static int ima_write_template_field_data(const void *data, const u32 datalen, |
| ... | ... | @@ -90,6 +91,9 @@ |
| 90 | 91 | buf_ptr += 2; |
| 91 | 92 | buflen -= buf_ptr - field_data->data; |
| 92 | 93 | case DATA_FMT_DIGEST: |
| 94 | + case DATA_FMT_HEX: | |
| 95 | + if (!buflen) | |
| 96 | + break; | |
| 93 | 97 | ima_print_digest(m, buf_ptr, buflen); |
| 94 | 98 | break; |
| 95 | 99 | case DATA_FMT_STRING: |
| ... | ... | @@ -147,6 +151,12 @@ |
| 147 | 151 | ima_show_template_field_data(m, show, DATA_FMT_STRING, field_data); |
| 148 | 152 | } |
| 149 | 153 | |
| 154 | +void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, | |
| 155 | + struct ima_field_data *field_data) | |
| 156 | +{ | |
| 157 | + ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); | |
| 158 | +} | |
| 159 | + | |
| 150 | 160 | static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo, |
| 151 | 161 | struct ima_field_data *field_data, |
| 152 | 162 | bool size_limit) |
| ... | ... | @@ -190,6 +200,7 @@ |
| 190 | 200 | */ |
| 191 | 201 | int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file, |
| 192 | 202 | const unsigned char *filename, |
| 203 | + struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
| 193 | 204 | struct ima_field_data *field_data) |
| 194 | 205 | { |
| 195 | 206 | struct { |
| ... | ... | @@ -237,7 +248,8 @@ |
| 237 | 248 | */ |
| 238 | 249 | int ima_eventdigest_ng_init(struct integrity_iint_cache *iint, |
| 239 | 250 | struct file *file, const unsigned char *filename, |
| 240 | - struct ima_field_data *field_data) | |
| 251 | + struct evm_ima_xattr_data *xattr_value, | |
| 252 | + int xattr_len, struct ima_field_data *field_data) | |
| 241 | 253 | { |
| 242 | 254 | u8 *cur_digest = NULL, hash_algo = HASH_ALGO__LAST; |
| 243 | 255 | u32 cur_digestsize = 0; |
| ... | ... | @@ -295,6 +307,7 @@ |
| 295 | 307 | */ |
| 296 | 308 | int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file, |
| 297 | 309 | const unsigned char *filename, |
| 310 | + struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
| 298 | 311 | struct ima_field_data *field_data) |
| 299 | 312 | { |
| 300 | 313 | return ima_eventname_init_common(iint, file, filename, |
| 301 | 314 | |
| ... | ... | @@ -306,9 +319,30 @@ |
| 306 | 319 | */ |
| 307 | 320 | int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file, |
| 308 | 321 | const unsigned char *filename, |
| 322 | + struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
| 309 | 323 | struct ima_field_data *field_data) |
| 310 | 324 | { |
| 311 | 325 | return ima_eventname_init_common(iint, file, filename, |
| 312 | 326 | field_data, false); |
| 327 | +} | |
| 328 | + | |
| 329 | +/* | |
| 330 | + * ima_eventsig_init - include the file signature as part of the template data | |
| 331 | + */ | |
| 332 | +int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file, | |
| 333 | + const unsigned char *filename, | |
| 334 | + struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
| 335 | + struct ima_field_data *field_data) | |
| 336 | +{ | |
| 337 | + enum data_formats fmt = DATA_FMT_HEX; | |
| 338 | + int rc = 0; | |
| 339 | + | |
| 340 | + if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) | |
| 341 | + goto out; | |
| 342 | + | |
| 343 | + rc = ima_write_template_field_data(xattr_value, xattr_len, fmt, | |
| 344 | + field_data); | |
| 345 | +out: | |
| 346 | + return rc; | |
| 313 | 347 | } |
security/integrity/ima/ima_template_lib.h
| ... | ... | @@ -24,17 +24,27 @@ |
| 24 | 24 | struct ima_field_data *field_data); |
| 25 | 25 | void ima_show_template_string(struct seq_file *m, enum ima_show_type show, |
| 26 | 26 | struct ima_field_data *field_data); |
| 27 | +void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, | |
| 28 | + struct ima_field_data *field_data); | |
| 27 | 29 | int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file, |
| 28 | 30 | const unsigned char *filename, |
| 31 | + struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
| 29 | 32 | struct ima_field_data *field_data); |
| 30 | 33 | int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file, |
| 31 | 34 | const unsigned char *filename, |
| 35 | + struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
| 32 | 36 | struct ima_field_data *field_data); |
| 33 | 37 | int ima_eventdigest_ng_init(struct integrity_iint_cache *iint, |
| 34 | 38 | struct file *file, const unsigned char *filename, |
| 35 | - struct ima_field_data *field_data); | |
| 39 | + struct evm_ima_xattr_data *xattr_value, | |
| 40 | + int xattr_len, struct ima_field_data *field_data); | |
| 36 | 41 | int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file, |
| 37 | 42 | const unsigned char *filename, |
| 43 | + struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
| 38 | 44 | struct ima_field_data *field_data); |
| 45 | +int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file, | |
| 46 | + const unsigned char *filename, | |
| 47 | + struct evm_ima_xattr_data *xattr_value, int xattr_len, | |
| 48 | + struct ima_field_data *field_data); | |
| 39 | 49 | #endif /* __LINUX_IMA_TEMPLATE_LIB_H */ |