summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2013-07-23 11:15:00 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-10-31 20:19:35 -0400
commitbcbc9b0cf6d8f340a1d166e414f4612b353f7a9b (patch)
treecd728f166ccf86137a7a8a7847ce962488ff86e2 /security
parent42a20ba5c90ded07f79992d222fa0814b8448cf6 (diff)
ima: extend the measurement list to include the file signature
This patch defines a new template called 'ima-sig', which includes the file signature in the template data, in addition to the file's digest and pathname. A template is composed of a set of fields. Associated with each field is an initialization and display function. This patch defines a new template field called 'sig', the initialization function ima_eventsig_init(), and the display function ima_show_template_sig(). This patch modifies the .field_init() function definition to include the 'security.ima' extended attribute and length. Changelog: - remove unused code (Dmitry Kasatkin) - avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu) - rename DATA_FMT_SIG to DATA_FMT_HEX - cleanup ima_eventsig_init() based on Roberto's comments Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/Kconfig3
-rw-r--r--security/integrity/ima/ima.h10
-rw-r--r--security/integrity/ima/ima_api.c14
-rw-r--r--security/integrity/ima/ima_init.c2
-rw-r--r--security/integrity/ima/ima_main.c3
-rw-r--r--security/integrity/ima/ima_template.c3
-rw-r--r--security/integrity/ima/ima_template_lib.c38
-rw-r--r--security/integrity/ima/ima_template_lib.h12
8 files changed, 73 insertions, 12 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 351a58ed56ab..81a27971d884 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -63,6 +63,8 @@ choice
63 bool "ima" 63 bool "ima"
64 config IMA_NG_TEMPLATE 64 config IMA_NG_TEMPLATE
65 bool "ima-ng (default)" 65 bool "ima-ng (default)"
66 config IMA_SIG_TEMPLATE
67 bool "ima-sig"
66endchoice 68endchoice
67 69
68config IMA_DEFAULT_TEMPLATE 70config IMA_DEFAULT_TEMPLATE
@@ -70,6 +72,7 @@ config IMA_DEFAULT_TEMPLATE
70 depends on IMA 72 depends on IMA
71 default "ima" if IMA_TEMPLATE 73 default "ima" if IMA_TEMPLATE
72 default "ima-ng" if IMA_NG_TEMPLATE 74 default "ima-ng" if IMA_NG_TEMPLATE
75 default "ima-sig" if IMA_SIG_TEMPLATE
73 76
74choice 77choice
75 prompt "Default integrity hash algorithm" 78 prompt "Default integrity hash algorithm"
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 72d013e190b1..bf03c6a16cc8 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -59,7 +59,8 @@ struct ima_template_field {
59 const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN]; 59 const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
60 int (*field_init) (struct integrity_iint_cache *iint, struct file *file, 60 int (*field_init) (struct integrity_iint_cache *iint, struct file *file,
61 const unsigned char *filename, 61 const unsigned char *filename,
62 struct ima_field_data *field_data); 62 struct evm_ima_xattr_data *xattr_value,
63 int xattr_len, struct ima_field_data *field_data);
63 void (*field_show) (struct seq_file *m, enum ima_show_type show, 64 void (*field_show) (struct seq_file *m, enum ima_show_type show,
64 struct ima_field_data *field_data); 65 struct ima_field_data *field_data);
65}; 66};
@@ -134,12 +135,15 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
134 struct evm_ima_xattr_data **xattr_value, 135 struct evm_ima_xattr_data **xattr_value,
135 int *xattr_len); 136 int *xattr_len);
136void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 137void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
137 const unsigned char *filename); 138 const unsigned char *filename,
139 struct evm_ima_xattr_data *xattr_value,
140 int xattr_len);
138void ima_audit_measurement(struct integrity_iint_cache *iint, 141void ima_audit_measurement(struct integrity_iint_cache *iint,
139 const unsigned char *filename); 142 const unsigned char *filename);
140int ima_alloc_init_template(struct integrity_iint_cache *iint, 143int ima_alloc_init_template(struct integrity_iint_cache *iint,
141 struct file *file, const unsigned char *filename, 144 struct file *file, const unsigned char *filename,
142 struct ima_template_entry **entry); 145 struct evm_ima_xattr_data *xattr_value,
146 int xattr_len, struct ima_template_entry **entry);
143int ima_store_template(struct ima_template_entry *entry, int violation, 147int ima_store_template(struct ima_template_entry *entry, int violation,
144 struct inode *inode, const unsigned char *filename); 148 struct inode *inode, const unsigned char *filename);
145const char *ima_d_path(struct path *path, char **pathbuf); 149const char *ima_d_path(struct path *path, char **pathbuf);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 5fcc80695d87..0e7540863fc2 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -26,7 +26,8 @@
26 */ 26 */
27int ima_alloc_init_template(struct integrity_iint_cache *iint, 27int ima_alloc_init_template(struct integrity_iint_cache *iint,
28 struct file *file, const unsigned char *filename, 28 struct file *file, const unsigned char *filename,
29 struct ima_template_entry **entry) 29 struct evm_ima_xattr_data *xattr_value,
30 int xattr_len, struct ima_template_entry **entry)
30{ 31{
31 struct ima_template_desc *template_desc = ima_template_desc_current(); 32 struct ima_template_desc *template_desc = ima_template_desc_current();
32 int i, result = 0; 33 int i, result = 0;
@@ -41,6 +42,7 @@ int ima_alloc_init_template(struct integrity_iint_cache *iint,
41 u32 len; 42 u32 len;
42 43
43 result = field->field_init(iint, file, filename, 44 result = field->field_init(iint, file, filename,
45 xattr_value, xattr_len,
44 &((*entry)->template_data[i])); 46 &((*entry)->template_data[i]));
45 if (result != 0) 47 if (result != 0)
46 goto out; 48 goto out;
@@ -123,7 +125,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
123 /* can overflow, only indicator */ 125 /* can overflow, only indicator */
124 atomic_long_inc(&ima_htable.violations); 126 atomic_long_inc(&ima_htable.violations);
125 127
126 result = ima_alloc_init_template(NULL, file, filename, &entry); 128 result = ima_alloc_init_template(NULL, file, filename,
129 NULL, 0, &entry);
127 if (result < 0) { 130 if (result < 0) {
128 result = -ENOMEM; 131 result = -ENOMEM;
129 goto err_out; 132 goto err_out;
@@ -239,7 +242,9 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
239 * Must be called with iint->mutex held. 242 * Must be called with iint->mutex held.
240 */ 243 */
241void ima_store_measurement(struct integrity_iint_cache *iint, 244void ima_store_measurement(struct integrity_iint_cache *iint,
242 struct file *file, const unsigned char *filename) 245 struct file *file, const unsigned char *filename,
246 struct evm_ima_xattr_data *xattr_value,
247 int xattr_len)
243{ 248{
244 const char *op = "add_template_measure"; 249 const char *op = "add_template_measure";
245 const char *audit_cause = "ENOMEM"; 250 const char *audit_cause = "ENOMEM";
@@ -251,7 +256,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
251 if (iint->flags & IMA_MEASURED) 256 if (iint->flags & IMA_MEASURED)
252 return; 257 return;
253 258
254 result = ima_alloc_init_template(iint, file, filename, &entry); 259 result = ima_alloc_init_template(iint, file, filename,
260 xattr_value, xattr_len, &entry);
255 if (result < 0) { 261 if (result < 0) {
256 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 262 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
257 op, audit_cause, result, 0); 263 op, audit_cause, result, 0);
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index f84aec5412f3..15f34bd40abe 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -69,7 +69,7 @@ static void __init ima_add_boot_aggregate(void)
69 } 69 }
70 70
71 result = ima_alloc_init_template(iint, NULL, boot_aggregate_name, 71 result = ima_alloc_init_template(iint, NULL, boot_aggregate_name,
72 &entry); 72 NULL, 0, &entry);
73 if (result < 0) 73 if (result < 0)
74 return; 74 return;
75 75
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 14d4cb557894..149ee1119f87 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -225,7 +225,8 @@ static int process_measurement(struct file *file, const char *filename,
225 pathname = (const char *)file->f_dentry->d_name.name; 225 pathname = (const char *)file->f_dentry->d_name.name;
226 226
227 if (action & IMA_MEASURE) 227 if (action & IMA_MEASURE)
228 ima_store_measurement(iint, file, pathname); 228 ima_store_measurement(iint, file, pathname,
229 xattr_value, xattr_len);
229 if (action & IMA_APPRAISE_SUBMASK) 230 if (action & IMA_APPRAISE_SUBMASK)
230 rc = ima_appraise_measurement(_func, iint, file, pathname, 231 rc = ima_appraise_measurement(_func, iint, file, pathname,
231 xattr_value, xattr_len); 232 xattr_value, xattr_len);
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 000221419f6c..4e5da990630b 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -20,6 +20,7 @@
20static struct ima_template_desc defined_templates[] = { 20static struct ima_template_desc defined_templates[] = {
21 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, 21 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
22 {.name = "ima-ng",.fmt = "d-ng|n-ng"}, 22 {.name = "ima-ng",.fmt = "d-ng|n-ng"},
23 {.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
23}; 24};
24 25
25static struct ima_template_field supported_fields[] = { 26static struct ima_template_field supported_fields[] = {
@@ -31,6 +32,8 @@ static struct ima_template_field supported_fields[] = {
31 .field_show = ima_show_template_digest_ng}, 32 .field_show = ima_show_template_digest_ng},
32 {.field_id = "n-ng",.field_init = ima_eventname_ng_init, 33 {.field_id = "n-ng",.field_init = ima_eventname_ng_init,
33 .field_show = ima_show_template_string}, 34 .field_show = ima_show_template_string},
35 {.field_id = "sig",.field_init = ima_eventsig_init,
36 .field_show = ima_show_template_sig},
34}; 37};
35 38
36static struct ima_template_desc *ima_template; 39static struct ima_template_desc *ima_template;
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 7d841448f246..6d66ad6ed265 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -28,7 +28,8 @@ enum data_formats {
28 DATA_FMT_DIGEST = 0, 28 DATA_FMT_DIGEST = 0,
29 DATA_FMT_DIGEST_WITH_ALGO, 29 DATA_FMT_DIGEST_WITH_ALGO,
30 DATA_FMT_EVENT_NAME, 30 DATA_FMT_EVENT_NAME,
31 DATA_FMT_STRING 31 DATA_FMT_STRING,
32 DATA_FMT_HEX
32}; 33};
33 34
34static int ima_write_template_field_data(const void *data, const u32 datalen, 35static int ima_write_template_field_data(const void *data, const u32 datalen,
@@ -90,6 +91,9 @@ static void ima_show_template_data_ascii(struct seq_file *m,
90 buf_ptr += 2; 91 buf_ptr += 2;
91 buflen -= buf_ptr - field_data->data; 92 buflen -= buf_ptr - field_data->data;
92 case DATA_FMT_DIGEST: 93 case DATA_FMT_DIGEST:
94 case DATA_FMT_HEX:
95 if (!buflen)
96 break;
93 ima_print_digest(m, buf_ptr, buflen); 97 ima_print_digest(m, buf_ptr, buflen);
94 break; 98 break;
95 case DATA_FMT_STRING: 99 case DATA_FMT_STRING:
@@ -147,6 +151,12 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
147 ima_show_template_field_data(m, show, DATA_FMT_STRING, field_data); 151 ima_show_template_field_data(m, show, DATA_FMT_STRING, field_data);
148} 152}
149 153
154void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
155 struct ima_field_data *field_data)
156{
157 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
158}
159
150static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo, 160static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo,
151 struct ima_field_data *field_data, 161 struct ima_field_data *field_data,
152 bool size_limit) 162 bool size_limit)
@@ -190,6 +200,7 @@ static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo,
190 */ 200 */
191int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file, 201int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
192 const unsigned char *filename, 202 const unsigned char *filename,
203 struct evm_ima_xattr_data *xattr_value, int xattr_len,
193 struct ima_field_data *field_data) 204 struct ima_field_data *field_data)
194{ 205{
195 struct { 206 struct {
@@ -237,7 +248,8 @@ out:
237 */ 248 */
238int ima_eventdigest_ng_init(struct integrity_iint_cache *iint, 249int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
239 struct file *file, const unsigned char *filename, 250 struct file *file, const unsigned char *filename,
240 struct ima_field_data *field_data) 251 struct evm_ima_xattr_data *xattr_value,
252 int xattr_len, struct ima_field_data *field_data)
241{ 253{
242 u8 *cur_digest = NULL, hash_algo = HASH_ALGO__LAST; 254 u8 *cur_digest = NULL, hash_algo = HASH_ALGO__LAST;
243 u32 cur_digestsize = 0; 255 u32 cur_digestsize = 0;
@@ -295,6 +307,7 @@ out:
295 */ 307 */
296int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file, 308int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
297 const unsigned char *filename, 309 const unsigned char *filename,
310 struct evm_ima_xattr_data *xattr_value, int xattr_len,
298 struct ima_field_data *field_data) 311 struct ima_field_data *field_data)
299{ 312{
300 return ima_eventname_init_common(iint, file, filename, 313 return ima_eventname_init_common(iint, file, filename,
@@ -306,8 +319,29 @@ int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
306 */ 319 */
307int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file, 320int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file,
308 const unsigned char *filename, 321 const unsigned char *filename,
322 struct evm_ima_xattr_data *xattr_value, int xattr_len,
309 struct ima_field_data *field_data) 323 struct ima_field_data *field_data)
310{ 324{
311 return ima_eventname_init_common(iint, file, filename, 325 return ima_eventname_init_common(iint, file, filename,
312 field_data, false); 326 field_data, false);
313} 327}
328
329/*
330 * ima_eventsig_init - include the file signature as part of the template data
331 */
332int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file,
333 const unsigned char *filename,
334 struct evm_ima_xattr_data *xattr_value, int xattr_len,
335 struct ima_field_data *field_data)
336{
337 enum data_formats fmt = DATA_FMT_HEX;
338 int rc = 0;
339
340 if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
341 goto out;
342
343 rc = ima_write_template_field_data(xattr_value, xattr_len, fmt,
344 field_data);
345out:
346 return rc;
347}
diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
index 16c5e7810234..63f6b52cb1c2 100644
--- a/security/integrity/ima/ima_template_lib.h
+++ b/security/integrity/ima/ima_template_lib.h
@@ -24,16 +24,26 @@ void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
24 struct ima_field_data *field_data); 24 struct ima_field_data *field_data);
25void ima_show_template_string(struct seq_file *m, enum ima_show_type show, 25void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
26 struct ima_field_data *field_data); 26 struct ima_field_data *field_data);
27void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
28 struct ima_field_data *field_data);
27int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file, 29int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
28 const unsigned char *filename, 30 const unsigned char *filename,
31 struct evm_ima_xattr_data *xattr_value, int xattr_len,
29 struct ima_field_data *field_data); 32 struct ima_field_data *field_data);
30int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file, 33int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
31 const unsigned char *filename, 34 const unsigned char *filename,
35 struct evm_ima_xattr_data *xattr_value, int xattr_len,
32 struct ima_field_data *field_data); 36 struct ima_field_data *field_data);
33int ima_eventdigest_ng_init(struct integrity_iint_cache *iint, 37int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
34 struct file *file, const unsigned char *filename, 38 struct file *file, const unsigned char *filename,
35 struct ima_field_data *field_data); 39 struct evm_ima_xattr_data *xattr_value,
40 int xattr_len, struct ima_field_data *field_data);
36int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file, 41int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file,
37 const unsigned char *filename, 42 const unsigned char *filename,
43 struct evm_ima_xattr_data *xattr_value, int xattr_len,
38 struct ima_field_data *field_data); 44 struct ima_field_data *field_data);
45int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file,
46 const unsigned char *filename,
47 struct evm_ima_xattr_data *xattr_value, int xattr_len,
48 struct ima_field_data *field_data);
39#endif /* __LINUX_IMA_TEMPLATE_LIB_H */ 49#endif /* __LINUX_IMA_TEMPLATE_LIB_H */
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-18 20:38:26 -0500