diff options
| author | Roberto Sassu <roberto.sassu@polito.it> | 2013-11-08 13:21:40 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-11-25 07:31:14 -0500 |
| commit | 3e8e5503a33577d89bdb7469b851b11f507bbed6 (patch) | |
| tree | 50621a970614b947f7720db128b6ffaf4a3c7aeb /security/integrity | |
| parent | b6f8f16f41d92861621b043389ef49de1c52d613 (diff) | |
ima: do not send field length to userspace for digest of ima template
This patch defines a new value for the 'ima_show_type' enumerator
(IMA_SHOW_BINARY_NO_FIELD_LEN) to prevent that the field length
is transmitted through the 'binary_runtime_measurements' interface
for the digest field of the 'ima' template.
Fixes commit: 3ce1217 ima: define template fields library and new helpers
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
| -rw-r--r-- | security/integrity/ima/ima.h | 3 | ||||
| -rw-r--r-- | security/integrity/ima/ima_fs.c | 14 | ||||
| -rw-r--r-- | security/integrity/ima/ima_template_lib.c | 6 |
3 files changed, 18 insertions, 5 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index a21cf706d213..9636e17c9f5d 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
| @@ -26,7 +26,8 @@ | |||
| 26 | 26 | ||
| 27 | #include "../integrity.h" | 27 | #include "../integrity.h" |
| 28 | 28 | ||
| 29 | enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII }; | 29 | enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN, |
| 30 | IMA_SHOW_ASCII }; | ||
| 30 | enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; | 31 | enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; |
| 31 | 32 | ||
| 32 | /* digest size for IMA, fits SHA1 or MD5 */ | 33 | /* digest size for IMA, fits SHA1 or MD5 */ |
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index d47a7c86a21d..db01125926bd 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c | |||
| @@ -120,6 +120,7 @@ static int ima_measurements_show(struct seq_file *m, void *v) | |||
| 120 | struct ima_template_entry *e; | 120 | struct ima_template_entry *e; |
| 121 | int namelen; | 121 | int namelen; |
| 122 | u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX; | 122 | u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX; |
| 123 | bool is_ima_template = false; | ||
| 123 | int i; | 124 | int i; |
| 124 | 125 | ||
| 125 | /* get entry */ | 126 | /* get entry */ |
| @@ -145,14 +146,21 @@ static int ima_measurements_show(struct seq_file *m, void *v) | |||
| 145 | ima_putc(m, e->template_desc->name, namelen); | 146 | ima_putc(m, e->template_desc->name, namelen); |
| 146 | 147 | ||
| 147 | /* 5th: template length (except for 'ima' template) */ | 148 | /* 5th: template length (except for 'ima' template) */ |
| 148 | if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) | 149 | if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) |
| 150 | is_ima_template = true; | ||
| 151 | |||
| 152 | if (!is_ima_template) | ||
| 149 | ima_putc(m, &e->template_data_len, | 153 | ima_putc(m, &e->template_data_len, |
| 150 | sizeof(e->template_data_len)); | 154 | sizeof(e->template_data_len)); |
| 151 | 155 | ||
| 152 | /* 6th: template specific data */ | 156 | /* 6th: template specific data */ |
| 153 | for (i = 0; i < e->template_desc->num_fields; i++) { | 157 | for (i = 0; i < e->template_desc->num_fields; i++) { |
| 154 | e->template_desc->fields[i]->field_show(m, IMA_SHOW_BINARY, | 158 | enum ima_show_type show = IMA_SHOW_BINARY; |
| 155 | &e->template_data[i]); | 159 | struct ima_template_field *field = e->template_desc->fields[i]; |
| 160 | |||
| 161 | if (is_ima_template && strcmp(field->field_id, "d") == 0) | ||
| 162 | show = IMA_SHOW_BINARY_NO_FIELD_LEN; | ||
| 163 | field->field_show(m, show, &e->template_data[i]); | ||
| 156 | } | 164 | } |
| 157 | return 0; | 165 | return 0; |
| 158 | } | 166 | } |
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 6d66ad6ed265..c38adcc910fb 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c | |||
| @@ -109,9 +109,12 @@ static void ima_show_template_data_binary(struct seq_file *m, | |||
| 109 | enum data_formats datafmt, | 109 | enum data_formats datafmt, |
| 110 | struct ima_field_data *field_data) | 110 | struct ima_field_data *field_data) |
| 111 | { | 111 | { |
| 112 | ima_putc(m, &field_data->len, sizeof(u32)); | 112 | if (show != IMA_SHOW_BINARY_NO_FIELD_LEN) |
| 113 | ima_putc(m, &field_data->len, sizeof(u32)); | ||
| 114 | |||
| 113 | if (!field_data->len) | 115 | if (!field_data->len) |
| 114 | return; | 116 | return; |
| 117 | |||
| 115 | ima_putc(m, field_data->data, field_data->len); | 118 | ima_putc(m, field_data->data, field_data->len); |
| 116 | } | 119 | } |
| 117 | 120 | ||
| @@ -125,6 +128,7 @@ static void ima_show_template_field_data(struct seq_file *m, | |||
| 125 | ima_show_template_data_ascii(m, show, datafmt, field_data); | 128 | ima_show_template_data_ascii(m, show, datafmt, field_data); |
| 126 | break; | 129 | break; |
| 127 | case IMA_SHOW_BINARY: | 130 | case IMA_SHOW_BINARY: |
| 131 | case IMA_SHOW_BINARY_NO_FIELD_LEN: | ||
| 128 | ima_show_template_data_binary(m, show, datafmt, field_data); | 132 | ima_show_template_data_binary(m, show, datafmt, field_data); |
| 129 | break; | 133 | break; |
| 130 | default: | 134 | default: |