diff options
| author | Roberto Sassu <roberto.sassu@polito.it> | 2013-06-07 06:16:33 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-10-25 17:17:06 -0400 |
| commit | a71dc65d30a472409f05d247f4eab91b14acf2f5 (patch) | |
| tree | 0d0798a7a40af5db7d44608de1f64ca872bfaf1c /security/integrity/ima/ima_fs.c | |
| parent | 4d7aeee73f5304bf195aa2904f8eb1d7b2e8fe52 (diff) | |
ima: switch to new template management mechanism
This patch performs the switch to the new template mechanism by modifying
the functions ima_alloc_init_template(), ima_measurements_show() and
ima_ascii_measurements_show(). The old function ima_template_show() was
removed as it is no longer needed. Also, if the template descriptor used
to generate a measurement entry is not 'ima', the whole length of field
data stored for an entry is provided before the data itself through the
binary_runtime_measurement interface.
Changelog:
- unnecessary to use strncmp() (Mimi Zohar)
- create new variable 'field' in ima_alloc_init_template() (Roberto Sassu)
- use GFP_NOFS flag in ima_alloc_init_template() (Roberto Sassu)
- new variable 'num_fields' in ima_store_template() (Roberto Sassu,
proposed by Mimi Zohar)
- rename ima_calc_buffer_hash/template_hash() to ima_calc_field_array_hash(),
something more generic (Mimi, requested by Dmitry)
- sparse error fix - Fengguang Wu
- fix lindent warnings
- always include the field length in the template data length
- include the template field length variable size in the template data length
- include both the template field data and field length in the template digest
calculation. Simplifies verifying the template digest. (Mimi)
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_fs.c')
| -rw-r--r-- | security/integrity/ima/ima_fs.c | 54 |
1 files changed, 25 insertions, 29 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 414862e1904b..d47a7c86a21d 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c | |||
| @@ -110,6 +110,7 @@ void ima_putc(struct seq_file *m, void *data, int datalen) | |||
| 110 | * char[20]=template digest | 110 | * char[20]=template digest |
| 111 | * 32bit-le=template name size | 111 | * 32bit-le=template name size |
| 112 | * char[n]=template name | 112 | * char[n]=template name |
| 113 | * [eventdata length] | ||
| 113 | * eventdata[n]=template specific data | 114 | * eventdata[n]=template specific data |
| 114 | */ | 115 | */ |
| 115 | static int ima_measurements_show(struct seq_file *m, void *v) | 116 | static int ima_measurements_show(struct seq_file *m, void *v) |
| @@ -119,6 +120,7 @@ static int ima_measurements_show(struct seq_file *m, void *v) | |||
| 119 | struct ima_template_entry *e; | 120 | struct ima_template_entry *e; |
| 120 | int namelen; | 121 | int namelen; |
| 121 | u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX; | 122 | u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX; |
| 123 | int i; | ||
| 122 | 124 | ||
| 123 | /* get entry */ | 125 | /* get entry */ |
| 124 | e = qe->entry; | 126 | e = qe->entry; |
| @@ -136,15 +138,22 @@ static int ima_measurements_show(struct seq_file *m, void *v) | |||
| 136 | ima_putc(m, e->digest, TPM_DIGEST_SIZE); | 138 | ima_putc(m, e->digest, TPM_DIGEST_SIZE); |
| 137 | 139 | ||
| 138 | /* 3rd: template name size */ | 140 | /* 3rd: template name size */ |
| 139 | namelen = strlen(e->template_name); | 141 | namelen = strlen(e->template_desc->name); |
| 140 | ima_putc(m, &namelen, sizeof namelen); | 142 | ima_putc(m, &namelen, sizeof namelen); |
| 141 | 143 | ||
| 142 | /* 4th: template name */ | 144 | /* 4th: template name */ |
| 143 | ima_putc(m, (void *)e->template_name, namelen); | 145 | ima_putc(m, e->template_desc->name, namelen); |
| 146 | |||
| 147 | /* 5th: template length (except for 'ima' template) */ | ||
| 148 | if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) | ||
| 149 | ima_putc(m, &e->template_data_len, | ||
| 150 | sizeof(e->template_data_len)); | ||
| 144 | 151 | ||
| 145 | /* 5th: template specific data */ | 152 | /* 6th: template specific data */ |
| 146 | ima_template_show(m, (struct ima_template_data *)&e->template, | 153 | for (i = 0; i < e->template_desc->num_fields; i++) { |
| 147 | IMA_SHOW_BINARY); | 154 | e->template_desc->fields[i]->field_show(m, IMA_SHOW_BINARY, |
| 155 | &e->template_data[i]); | ||
| 156 | } | ||
| 148 | return 0; | 157 | return 0; |
| 149 | } | 158 | } |
| 150 | 159 | ||
| @@ -175,33 +184,13 @@ void ima_print_digest(struct seq_file *m, u8 *digest, int size) | |||
| 175 | seq_printf(m, "%02x", *(digest + i)); | 184 | seq_printf(m, "%02x", *(digest + i)); |
| 176 | } | 185 | } |
| 177 | 186 | ||
| 178 | void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show) | ||
| 179 | { | ||
| 180 | struct ima_template_data *entry = e; | ||
| 181 | int namelen; | ||
| 182 | |||
| 183 | switch (show) { | ||
| 184 | case IMA_SHOW_ASCII: | ||
| 185 | ima_print_digest(m, entry->digest, IMA_DIGEST_SIZE); | ||
| 186 | seq_printf(m, " %s\n", entry->file_name); | ||
| 187 | break; | ||
| 188 | case IMA_SHOW_BINARY: | ||
| 189 | ima_putc(m, entry->digest, IMA_DIGEST_SIZE); | ||
| 190 | |||
| 191 | namelen = strlen(entry->file_name); | ||
| 192 | ima_putc(m, &namelen, sizeof namelen); | ||
| 193 | ima_putc(m, entry->file_name, namelen); | ||
| 194 | default: | ||
| 195 | break; | ||
| 196 | } | ||
| 197 | } | ||
| 198 | |||
| 199 | /* print in ascii */ | 187 | /* print in ascii */ |
| 200 | static int ima_ascii_measurements_show(struct seq_file *m, void *v) | 188 | static int ima_ascii_measurements_show(struct seq_file *m, void *v) |
| 201 | { | 189 | { |
| 202 | /* the list never shrinks, so we don't need a lock here */ | 190 | /* the list never shrinks, so we don't need a lock here */ |
| 203 | struct ima_queue_entry *qe = v; | 191 | struct ima_queue_entry *qe = v; |
| 204 | struct ima_template_entry *e; | 192 | struct ima_template_entry *e; |
| 193 | int i; | ||
| 205 | 194 | ||
| 206 | /* get entry */ | 195 | /* get entry */ |
| 207 | e = qe->entry; | 196 | e = qe->entry; |
| @@ -215,11 +204,18 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v) | |||
| 215 | ima_print_digest(m, e->digest, TPM_DIGEST_SIZE); | 204 | ima_print_digest(m, e->digest, TPM_DIGEST_SIZE); |
| 216 | 205 | ||
| 217 | /* 3th: template name */ | 206 | /* 3th: template name */ |
| 218 | seq_printf(m, " %s ", e->template_name); | 207 | seq_printf(m, " %s", e->template_desc->name); |
| 219 | 208 | ||
| 220 | /* 4th: template specific data */ | 209 | /* 4th: template specific data */ |
| 221 | ima_template_show(m, (struct ima_template_data *)&e->template, | 210 | for (i = 0; i < e->template_desc->num_fields; i++) { |
| 222 | IMA_SHOW_ASCII); | 211 | seq_puts(m, " "); |
| 212 | if (e->template_data[i].len == 0) | ||
| 213 | continue; | ||
| 214 | |||
| 215 | e->template_desc->fields[i]->field_show(m, IMA_SHOW_ASCII, | ||
| 216 | &e->template_data[i]); | ||
| 217 | } | ||
| 218 | seq_puts(m, "\n"); | ||
| 223 | return 0; | 219 | return 0; |
| 224 | } | 220 | } |
| 225 | 221 | ||