diff options
| author | Roberto Sassu <rsassu@suse.de> | 2015-04-11 11:12:39 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-05-21 13:59:29 -0400 |
| commit | 8d94eb9b5cff350ba170848c862ca0006d33d496 (patch) | |
| tree | 88774fba38e58df1530470b3a5072e5b729f2ec6 | |
| parent | 23b5741932ca44856762fa24cc7e01307ab8af1f (diff) | |
ima: pass iint to ima_add_violation()
This patch adds the iint associated to the current inode as a new
parameter of ima_add_violation(). The passed iint is always not NULL
if a violation is detected. This modification will be used to determine
the inode for which there is a violation.
Since the 'd' and 'd-ng' template field init() functions were detecting
a violation from the value of the iint pointer, they now check the new
field 'violation', added to the 'ima_event_data' structure.
Changelog:
- v1:
- modified an old comment (Roberto Sassu)
Signed-off-by: Roberto Sassu <rsassu@suse.de>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| -rw-r--r-- | security/integrity/ima/ima.h | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_api.c | 8 | ||||
| -rw-r--r-- | security/integrity/ima/ima_init.c | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 5 | ||||
| -rw-r--r-- | security/integrity/ima/ima_template_lib.c | 5 |
5 files changed, 13 insertions, 9 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index e13ae5466bf2..c996f7edff3a 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
| @@ -59,6 +59,7 @@ struct ima_event_data { | |||
| 59 | const unsigned char *filename; | 59 | const unsigned char *filename; |
| 60 | struct evm_ima_xattr_data *xattr_value; | 60 | struct evm_ima_xattr_data *xattr_value; |
| 61 | int xattr_len; | 61 | int xattr_len; |
| 62 | const char *violation; | ||
| 62 | }; | 63 | }; |
| 63 | 64 | ||
| 64 | /* IMA template field data definition */ | 65 | /* IMA template field data definition */ |
| @@ -110,6 +111,7 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data, | |||
| 110 | struct ima_digest_data *hash); | 111 | struct ima_digest_data *hash); |
| 111 | int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); | 112 | int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); |
| 112 | void ima_add_violation(struct file *file, const unsigned char *filename, | 113 | void ima_add_violation(struct file *file, const unsigned char *filename, |
| 114 | struct integrity_iint_cache *iint, | ||
| 113 | const char *op, const char *cause); | 115 | const char *op, const char *cause); |
| 114 | int ima_init_crypto(void); | 116 | int ima_init_crypto(void); |
| 115 | void ima_putc(struct seq_file *m, void *data, int datalen); | 117 | void ima_putc(struct seq_file *m, void *data, int datalen); |
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 5865ea2a2777..1d950fbb2aec 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
| @@ -126,11 +126,13 @@ int ima_store_template(struct ima_template_entry *entry, | |||
| 126 | * value is invalidated. | 126 | * value is invalidated. |
| 127 | */ | 127 | */ |
| 128 | void ima_add_violation(struct file *file, const unsigned char *filename, | 128 | void ima_add_violation(struct file *file, const unsigned char *filename, |
| 129 | struct integrity_iint_cache *iint, | ||
| 129 | const char *op, const char *cause) | 130 | const char *op, const char *cause) |
| 130 | { | 131 | { |
| 131 | struct ima_template_entry *entry; | 132 | struct ima_template_entry *entry; |
| 132 | struct inode *inode = file_inode(file); | 133 | struct inode *inode = file_inode(file); |
| 133 | struct ima_event_data event_data = {NULL, file, filename, NULL, 0}; | 134 | struct ima_event_data event_data = {iint, file, filename, NULL, 0, |
| 135 | cause}; | ||
| 134 | int violation = 1; | 136 | int violation = 1; |
| 135 | int result; | 137 | int result; |
| 136 | 138 | ||
| @@ -264,8 +266,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, | |||
| 264 | int result = -ENOMEM; | 266 | int result = -ENOMEM; |
| 265 | struct inode *inode = file_inode(file); | 267 | struct inode *inode = file_inode(file); |
| 266 | struct ima_template_entry *entry; | 268 | struct ima_template_entry *entry; |
| 267 | struct ima_event_data event_data = {iint, file, filename, | 269 | struct ima_event_data event_data = {iint, file, filename, xattr_value, |
| 268 | xattr_value, xattr_len}; | 270 | xattr_len, NULL}; |
| 269 | int violation = 0; | 271 | int violation = 0; |
| 270 | 272 | ||
| 271 | if (iint->flags & IMA_MEASURED) | 273 | if (iint->flags & IMA_MEASURED) |
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 2c668370a438..e600cadd231c 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c | |||
| @@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void) | |||
| 50 | struct ima_template_entry *entry; | 50 | struct ima_template_entry *entry; |
| 51 | struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; | 51 | struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; |
| 52 | struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, | 52 | struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, |
| 53 | NULL, 0}; | 53 | NULL, 0, NULL}; |
| 54 | int result = -ENOMEM; | 54 | int result = -ENOMEM; |
| 55 | int violation = 0; | 55 | int violation = 0; |
| 56 | struct { | 56 | struct { |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index eeee00dce729..c21f09bf8b99 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -106,9 +106,10 @@ static void ima_rdwr_violation_check(struct file *file, | |||
| 106 | *pathname = ima_d_path(&file->f_path, pathbuf); | 106 | *pathname = ima_d_path(&file->f_path, pathbuf); |
| 107 | 107 | ||
| 108 | if (send_tomtou) | 108 | if (send_tomtou) |
| 109 | ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU"); | 109 | ima_add_violation(file, *pathname, iint, |
| 110 | "invalid_pcr", "ToMToU"); | ||
| 110 | if (send_writers) | 111 | if (send_writers) |
| 111 | ima_add_violation(file, *pathname, | 112 | ima_add_violation(file, *pathname, iint, |
| 112 | "invalid_pcr", "open_writers"); | 113 | "invalid_pcr", "open_writers"); |
| 113 | } | 114 | } |
| 114 | 115 | ||
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 67d513367aac..de0ce4fbdf69 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c | |||
| @@ -209,7 +209,7 @@ int ima_eventdigest_init(struct ima_event_data *event_data, | |||
| 209 | 209 | ||
| 210 | memset(&hash, 0, sizeof(hash)); | 210 | memset(&hash, 0, sizeof(hash)); |
| 211 | 211 | ||
| 212 | if (!event_data->iint) /* recording a violation. */ | 212 | if (event_data->violation) /* recording a violation. */ |
| 213 | goto out; | 213 | goto out; |
| 214 | 214 | ||
| 215 | if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) { | 215 | if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) { |
| @@ -247,8 +247,7 @@ int ima_eventdigest_ng_init(struct ima_event_data *event_data, | |||
| 247 | u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1; | 247 | u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1; |
| 248 | u32 cur_digestsize = 0; | 248 | u32 cur_digestsize = 0; |
| 249 | 249 | ||
| 250 | /* If iint is NULL, we are recording a violation. */ | 250 | if (event_data->violation) /* recording a violation. */ |
| 251 | if (!event_data->iint) | ||
| 252 | goto out; | 251 | goto out; |
| 253 | 252 | ||
| 254 | cur_digest = event_data->iint->ima_hash->digest; | 253 | cur_digest = event_data->iint->ima_hash->digest; |