aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-11-05 10:01:12 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-11-17 23:09:18 -0500
commite3c4abbfa97ed0b7aed36f18b32911ccf76d52c2 (patch)
tree2dabccd9c08945c45c701bb42c02959644011066 /security/integrity
parentc2426d2ad5027397342107b7ff094aa9b234acb8 (diff)
integrity: define a new function integrity_read_file()
This patch defines a new function called integrity_read_file() to read file from the kernel into a buffer. Subsequent patches will read a file containing the public keys and load them onto the IMA keyring. This patch moves and renames ima_kernel_read(), the non-security checking version of kernel_read(), to integrity_kernel_read(). Changes in v3: * Patch descriptions improved (Mimi) * Add missing cast (kbuild test robot) Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/iint.c78
-rw-r--r--security/integrity/ima/ima_crypto.c35
-rw-r--r--security/integrity/integrity.h4
3 files changed, 85 insertions, 32 deletions
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index cc3eb4de18a1..dbee618526b6 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -19,6 +19,8 @@
19#include <linux/module.h> 19#include <linux/module.h>
20#include <linux/spinlock.h> 20#include <linux/spinlock.h>
21#include <linux/rbtree.h> 21#include <linux/rbtree.h>
22#include <linux/file.h>
23#include <linux/uaccess.h>
22#include "integrity.h" 24#include "integrity.h"
23 25
24static struct rb_root integrity_iint_tree = RB_ROOT; 26static struct rb_root integrity_iint_tree = RB_ROOT;
@@ -167,3 +169,79 @@ static int __init integrity_iintcache_init(void)
167 return 0; 169 return 0;
168} 170}
169security_initcall(integrity_iintcache_init); 171security_initcall(integrity_iintcache_init);
172
173
174/*
175 * integrity_kernel_read - read data from the file
176 *
177 * This is a function for reading file content instead of kernel_read().
178 * It does not perform locking checks to ensure it cannot be blocked.
179 * It does not perform security checks because it is irrelevant for IMA.
180 *
181 */
182int integrity_kernel_read(struct file *file, loff_t offset,
183 char *addr, unsigned long count)
184{
185 mm_segment_t old_fs;
186 char __user *buf = (char __user *)addr;
187 ssize_t ret = -EINVAL;
188
189 if (!(file->f_mode & FMODE_READ))
190 return -EBADF;
191
192 old_fs = get_fs();
193 set_fs(get_ds());
194 if (file->f_op->read)
195 ret = file->f_op->read(file, buf, count, &offset);
196 else if (file->f_op->aio_read)
197 ret = do_sync_read(file, buf, count, &offset);
198 else if (file->f_op->read_iter)
199 ret = new_sync_read(file, buf, count, &offset);
200 set_fs(old_fs);
201 return ret;
202}
203
204/*
205 * integrity_read_file - read entire file content into the buffer
206 *
207 * This is function opens a file, allocates the buffer of required
208 * size, read entire file content to the buffer and closes the file
209 *
210 * It is used only by init code.
211 *
212 */
213int __init integrity_read_file(const char *path, char **data)
214{
215 struct file *file;
216 loff_t size;
217 char *buf;
218 int rc = -EINVAL;
219
220 file = filp_open(path, O_RDONLY, 0);
221 if (IS_ERR(file)) {
222 rc = PTR_ERR(file);
223 pr_err("Unable to open file: %s (%d)", path, rc);
224 return rc;
225 }
226
227 size = i_size_read(file_inode(file));
228 if (size <= 0)
229 goto out;
230
231 buf = kmalloc(size, GFP_KERNEL);
232 if (!buf) {
233 rc = -ENOMEM;
234 goto out;
235 }
236
237 rc = integrity_kernel_read(file, 0, buf, size);
238 if (rc < 0)
239 kfree(buf);
240 else if (rc != size)
241 rc = -EIO;
242 else
243 *data = buf;
244out:
245 fput(file);
246 return rc;
247}
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index d34e7dfc1118..5df4d960d4dc 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -67,36 +67,6 @@ MODULE_PARM_DESC(ahash_bufsize, "Maximum ahash buffer size");
67static struct crypto_shash *ima_shash_tfm; 67static struct crypto_shash *ima_shash_tfm;
68static struct crypto_ahash *ima_ahash_tfm; 68static struct crypto_ahash *ima_ahash_tfm;
69 69
70/**
71 * ima_kernel_read - read file content
72 *
73 * This is a function for reading file content instead of kernel_read().
74 * It does not perform locking checks to ensure it cannot be blocked.
75 * It does not perform security checks because it is irrelevant for IMA.
76 *
77 */
78static int ima_kernel_read(struct file *file, loff_t offset,
79 char *addr, unsigned long count)
80{
81 mm_segment_t old_fs;
82 char __user *buf = addr;
83 ssize_t ret = -EINVAL;
84
85 if (!(file->f_mode & FMODE_READ))
86 return -EBADF;
87
88 old_fs = get_fs();
89 set_fs(get_ds());
90 if (file->f_op->read)
91 ret = file->f_op->read(file, buf, count, &offset);
92 else if (file->f_op->aio_read)
93 ret = do_sync_read(file, buf, count, &offset);
94 else if (file->f_op->read_iter)
95 ret = new_sync_read(file, buf, count, &offset);
96 set_fs(old_fs);
97 return ret;
98}
99
100int __init ima_init_crypto(void) 70int __init ima_init_crypto(void)
101{ 71{
102 long rc; 72 long rc;
@@ -324,7 +294,8 @@ static int ima_calc_file_hash_atfm(struct file *file,
324 } 294 }
325 /* read buffer */ 295 /* read buffer */
326 rbuf_len = min_t(loff_t, i_size - offset, rbuf_size[active]); 296 rbuf_len = min_t(loff_t, i_size - offset, rbuf_size[active]);
327 rc = ima_kernel_read(file, offset, rbuf[active], rbuf_len); 297 rc = integrity_kernel_read(file, offset, rbuf[active],
298 rbuf_len);
328 if (rc != rbuf_len) 299 if (rc != rbuf_len)
329 goto out3; 300 goto out3;
330 301
@@ -417,7 +388,7 @@ static int ima_calc_file_hash_tfm(struct file *file,
417 while (offset < i_size) { 388 while (offset < i_size) {
418 int rbuf_len; 389 int rbuf_len;
419 390
420 rbuf_len = ima_kernel_read(file, offset, rbuf, PAGE_SIZE); 391 rbuf_len = integrity_kernel_read(file, offset, rbuf, PAGE_SIZE);
421 if (rbuf_len < 0) { 392 if (rbuf_len < 0) {
422 rc = rbuf_len; 393 rc = rbuf_len;
423 break; 394 break;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index f51ad65c894d..20d220481025 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -119,6 +119,10 @@ struct integrity_iint_cache {
119 */ 119 */
120struct integrity_iint_cache *integrity_iint_find(struct inode *inode); 120struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
121 121
122int integrity_kernel_read(struct file *file, loff_t offset,
123 char *addr, unsigned long count);
124int __init integrity_read_file(const char *path, char **data);
125
122#define INTEGRITY_KEYRING_EVM 0 126#define INTEGRITY_KEYRING_EVM 0
123#define INTEGRITY_KEYRING_MODULE 1 127#define INTEGRITY_KEYRING_MODULE 1
124#define INTEGRITY_KEYRING_IMA 2 128#define INTEGRITY_KEYRING_IMA 2