aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2009-02-11 11:12:28 -0500
committerJames Morris <jmorris@namei.org>2009-02-11 17:40:14 -0500
commit523979adfa0b79d4e3aa053220c37a9233294206 (patch)
tree15ff42f935f9d443220edb118f3980432f924360
parented850a52af971528b048812c4215cef298af0d3b (diff)
integrity: audit update
Based on discussions on linux-audit, as per Steve Grubb's request http://lkml.org/lkml/2009/2/6/269, the following changes were made: - forced audit result to be either 0 or 1. - made template names const - Added new stand-alone message type: AUDIT_INTEGRITY_RULE Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--include/linux/audit.h4
-rw-r--r--security/integrity/ima/ima.h2
-rw-r--r--security/integrity/ima/ima_api.c2
-rw-r--r--security/integrity/ima/ima_audit.c21
-rw-r--r--security/integrity/ima/ima_fs.c2
-rw-r--r--security/integrity/ima/ima_init.c2
-rw-r--r--security/integrity/ima/ima_policy.c17
7 files changed, 28 insertions, 22 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 930939abfbc..4fa2810b675 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -36,7 +36,8 @@
36 * 1500 - 1599 kernel LSPP events 36 * 1500 - 1599 kernel LSPP events
37 * 1600 - 1699 kernel crypto events 37 * 1600 - 1699 kernel crypto events
38 * 1700 - 1799 kernel anomaly records 38 * 1700 - 1799 kernel anomaly records
39 * 1800 - 1999 future kernel use (maybe integrity labels and related events) 39 * 1800 - 1899 kernel integrity events
40 * 1900 - 1999 future kernel use
40 * 2000 is for otherwise unclassified kernel audit messages (legacy) 41 * 2000 is for otherwise unclassified kernel audit messages (legacy)
41 * 2001 - 2099 unused (kernel) 42 * 2001 - 2099 unused (kernel)
42 * 2100 - 2199 user space anomaly records 43 * 2100 - 2199 user space anomaly records
@@ -130,6 +131,7 @@
130#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ 131#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
131#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ 132#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
132#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */ 133#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
134#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
133 135
134#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ 136#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
135 137
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3c16a21a38..165eb5397ea 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -47,7 +47,7 @@ struct ima_template_data {
47 47
48struct ima_template_entry { 48struct ima_template_entry {
49 u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ 49 u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
50 char *template_name; 50 const char *template_name;
51 int template_len; 51 int template_len;
52 struct ima_template_data template; 52 struct ima_template_data template;
53}; 53};
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a148a25804f..3cd58b60afd 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -15,7 +15,7 @@
15#include <linux/module.h> 15#include <linux/module.h>
16 16
17#include "ima.h" 17#include "ima.h"
18static char *IMA_TEMPLATE_NAME = "ima"; 18static const char *IMA_TEMPLATE_NAME = "ima";
19 19
20/* 20/*
21 * ima_store_template - store ima template measurements 21 * ima_store_template - store ima template measurements
diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c
index 8a0f1e23ccf..1e082bb987b 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -22,16 +22,18 @@ static int ima_audit;
22static int __init ima_audit_setup(char *str) 22static int __init ima_audit_setup(char *str)
23{ 23{
24 unsigned long audit; 24 unsigned long audit;
25 int rc; 25 int rc, result = 0;
26 char *op; 26 char *op = "ima_audit";
27 char *cause;
27 28
28 rc = strict_strtoul(str, 0, &audit); 29 rc = strict_strtoul(str, 0, &audit);
29 if (rc || audit > 1) 30 if (rc || audit > 1)
30 printk(KERN_INFO "ima: invalid ima_audit value\n"); 31 result = 1;
31 else 32 else
32 ima_audit = audit; 33 ima_audit = audit;
33 op = ima_audit ? "ima_audit_enabled" : "ima_audit_not_enabled"; 34 cause = ima_audit ? "enabled" : "not_enabled";
34 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0); 35 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
36 op, cause, result, 0);
35 return 1; 37 return 1;
36} 38}
37__setup("ima_audit=", ima_audit_setup); 39__setup("ima_audit=", ima_audit_setup);
@@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
47 return; 49 return;
48 50
49 ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno); 51 ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
50 audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u", 52 audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u ses=%u",
51 current->pid, current->cred->uid, 53 current->pid, current->cred->uid,
52 audit_get_loginuid(current)); 54 audit_get_loginuid(current),
55 audit_get_sessionid(current));
53 audit_log_task_context(ab); 56 audit_log_task_context(ab);
54 switch (audit_msgno) { 57 switch (audit_msgno) {
55 case AUDIT_INTEGRITY_DATA: 58 case AUDIT_INTEGRITY_DATA:
56 case AUDIT_INTEGRITY_METADATA: 59 case AUDIT_INTEGRITY_METADATA:
57 case AUDIT_INTEGRITY_PCR: 60 case AUDIT_INTEGRITY_PCR:
61 case AUDIT_INTEGRITY_STATUS:
58 audit_log_format(ab, " op=%s cause=%s", op, cause); 62 audit_log_format(ab, " op=%s cause=%s", op, cause);
59 break; 63 break;
60 case AUDIT_INTEGRITY_HASH: 64 case AUDIT_INTEGRITY_HASH:
61 audit_log_format(ab, " op=%s hash=%s", op, cause); 65 audit_log_format(ab, " op=%s hash=%s", op, cause);
62 break; 66 break;
63 case AUDIT_INTEGRITY_STATUS:
64 default: 67 default:
65 audit_log_format(ab, " op=%s", op); 68 audit_log_format(ab, " op=%s", op);
66 } 69 }
@@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
73 if (inode) 76 if (inode)
74 audit_log_format(ab, " dev=%s ino=%lu", 77 audit_log_format(ab, " dev=%s ino=%lu",
75 inode->i_sb->s_id, inode->i_ino); 78 inode->i_sb->s_id, inode->i_ino);
76 audit_log_format(ab, " res=%d", result); 79 audit_log_format(ab, " res=%d", !result ? 0 : 1);
77 audit_log_end(ab); 80 audit_log_end(ab);
78} 81}
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 573780c76f1..ffbe259700b 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
137 ima_putc(m, &namelen, sizeof namelen); 137 ima_putc(m, &namelen, sizeof namelen);
138 138
139 /* 4th: template name */ 139 /* 4th: template name */
140 ima_putc(m, e->template_name, namelen); 140 ima_putc(m, (void *)e->template_name, namelen);
141 141
142 /* 5th: template specific data */ 142 /* 5th: template specific data */
143 ima_template_show(m, (struct ima_template_data *)&e->template, 143 ima_template_show(m, (struct ima_template_data *)&e->template,
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index cf227dbfac2..0b0bb8c978c 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -20,7 +20,7 @@
20#include "ima.h" 20#include "ima.h"
21 21
22/* name for boot aggregate entry */ 22/* name for boot aggregate entry */
23static char *boot_aggregate_name = "boot_aggregate"; 23static const char *boot_aggregate_name = "boot_aggregate";
24int ima_used_chip; 24int ima_used_chip;
25 25
26/* Add the boot aggregate to the IMA measurement list and extend 26/* Add the boot aggregate to the IMA measurement list and extend
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 23810e0bfc6..b5291ad5ef5 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -12,7 +12,6 @@
12 */ 12 */
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/list.h> 14#include <linux/list.h>
15#include <linux/audit.h>
16#include <linux/security.h> 15#include <linux/security.h>
17#include <linux/magic.h> 16#include <linux/magic.h>
18#include <linux/parser.h> 17#include <linux/parser.h>
@@ -239,8 +238,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
239 char *p; 238 char *p;
240 int result = 0; 239 int result = 0;
241 240
242 ab = audit_log_start(current->audit_context, GFP_KERNEL, 241 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
243 AUDIT_INTEGRITY_STATUS);
244 242
245 entry->action = -1; 243 entry->action = -1;
246 while ((p = strsep(&rule, " \n")) != NULL) { 244 while ((p = strsep(&rule, " \n")) != NULL) {
@@ -345,15 +343,14 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
345 AUDIT_SUBJ_TYPE); 343 AUDIT_SUBJ_TYPE);
346 break; 344 break;
347 case Opt_err: 345 case Opt_err:
348 printk(KERN_INFO "%s: unknown token: %s\n", 346 audit_log_format(ab, "UNKNOWN=%s ", p);
349 __FUNCTION__, p);
350 break; 347 break;
351 } 348 }
352 } 349 }
353 if (entry->action == UNKNOWN) 350 if (entry->action == UNKNOWN)
354 result = -EINVAL; 351 result = -EINVAL;
355 352
356 audit_log_format(ab, "res=%d", result); 353 audit_log_format(ab, "res=%d", !result ? 0 : 1);
357 audit_log_end(ab); 354 audit_log_end(ab);
358 return result; 355 return result;
359} 356}
@@ -367,7 +364,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
367 */ 364 */
368int ima_parse_add_rule(char *rule) 365int ima_parse_add_rule(char *rule)
369{ 366{
370 const char *op = "add_rule"; 367 const char *op = "update_policy";
371 struct ima_measure_rule_entry *entry; 368 struct ima_measure_rule_entry *entry;
372 int result = 0; 369 int result = 0;
373 int audit_info = 0; 370 int audit_info = 0;
@@ -394,8 +391,12 @@ int ima_parse_add_rule(char *rule)
394 mutex_lock(&ima_measure_mutex); 391 mutex_lock(&ima_measure_mutex);
395 list_add_tail(&entry->list, &measure_policy_rules); 392 list_add_tail(&entry->list, &measure_policy_rules);
396 mutex_unlock(&ima_measure_mutex); 393 mutex_unlock(&ima_measure_mutex);
397 } else 394 } else {
398 kfree(entry); 395 kfree(entry);
396 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
397 NULL, op, "invalid policy", result,
398 audit_info);
399 }
399 return result; 400 return result;
400} 401}
401 402