ima: provide hash algo info in the xattr

All files labeled with 'security.ima' hashes, are hashed using the same hash algorithm. Changing from one hash algorithm to another, requires relabeling the filesystem. This patch defines a new xattr type, which includes the hash algorithm, permitting different files to be hashed with different algorithms. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Dmitry Kasatkin <d.kasatkin@samsung.com> 2013-08-12 04:22:51 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-10-26 21:32:55 -0400
commit: 3ea7a56067e663278470c04fd655adf809e72d4d (patch)
tree: 8216b30887dc86cf7594f6fd1cc729b7eda28c0a /security/integrity
parent: e7a2ad7eb6f48ad80c70a22dd8167fb34b409466 (diff)
2 files changed, 59 insertions, 15 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 116630ca5ff3..734e9468aca0 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -15,6 +15,7 @@
 #include <linux/magic.h>
 #include <linux/ima.h>
 #include <linux/evm.h>
+#include <crypto/hash_info.h>
 #include "ima.h"
@@ -45,10 +46,22 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
 static int ima_fix_xattr(struct dentry *dentry,
                         struct integrity_iint_cache *iint)
 {
-        iint->ima_hash->type = IMA_XATTR_DIGEST;
+        int rc, offset;
-        return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
+        u8 algo = iint->ima_hash->algo;
-                                     &iint->ima_hash->type,
-                                     1 + iint->ima_hash->length, 0);
+        if (algo <= HASH_ALGO_SHA1) {
+                offset = 1;
+                iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
+        } else {
+                offset = 0;
+                iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
+                iint->ima_hash->xattr.ng.algo = algo;
+        }
+        rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
+                                   &iint->ima_hash->xattr.data[offset],
+                                   (sizeof(iint->ima_hash->xattr) - offset) +
+                                   iint->ima_hash->length, 0);
+        return rc;
 }
 /* Return specific func appraised cached result */
@@ -112,15 +125,31 @@ void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
 {
        struct signature_v2_hdr *sig;
-        if (!xattr_value || xattr_len < 0 || xattr_len <= 1 + sizeof(*sig))
+        if (!xattr_value || xattr_len < 2)
                return;
-        sig = (typeof(sig)) xattr_value->digest;
+        switch (xattr_value->type) {
+        case EVM_IMA_XATTR_DIGSIG:
-        if (xattr_value->type != EVM_IMA_XATTR_DIGSIG || sig->version != 2)
+                sig = (typeof(sig))xattr_value;
-                return;
+                if (sig->version != 2 || xattr_len <= sizeof(*sig))
+                        return;
-        hash->algo = sig->hash_algo;
+                hash->algo = sig->hash_algo;
+                break;
+        case IMA_XATTR_DIGEST_NG:
+                hash->algo = xattr_value->digest[0];
+                break;
+        case IMA_XATTR_DIGEST:
+                /* this is for backward compatibility */
+                if (xattr_len == 21) {
+                        unsigned int zero = 0;
+                        if (!memcmp(&xattr_value->digest[16], &zero, 4))
+                                hash->algo = HASH_ALGO_MD5;
+                        else
+                                hash->algo = HASH_ALGO_SHA1;
+                } else if (xattr_len == 17)
+                        hash->algo = HASH_ALGO_MD5;
+                break;
+        }
 }
 int ima_read_xattr(struct dentry *dentry,
@@ -153,7 +182,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
        enum integrity_status status = INTEGRITY_UNKNOWN;
        const char *op = "appraise_data";
        char *cause = "unknown";
-        int rc = xattr_len;
+        int rc = xattr_len, hash_start = 0;
        if (!ima_appraise)
                return 0;
@@ -180,17 +209,21 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
                goto out;
        }
        switch (xattr_value->type) {
+        case IMA_XATTR_DIGEST_NG:
+                /* first byte contains algorithm id */
+                hash_start = 1;
        case IMA_XATTR_DIGEST:
                if (iint->flags & IMA_DIGSIG_REQUIRED) {
                        cause = "IMA signature required";
                        status = INTEGRITY_FAIL;
                        break;
                }
-                if (xattr_len - 1 >= iint->ima_hash->length)
+                if (xattr_len - sizeof(xattr_value->type) - hash_start >=
+                                iint->ima_hash->length)
                        /* xattr length may be longer. md5 hash in previous
                           version occupied 20 bytes in xattr, instead of 16
                         */
-                        rc = memcmp(xattr_value->digest,
+                        rc = memcmp(&xattr_value->digest[hash_start],
                                    iint->ima_hash->digest,
                                    iint->ima_hash->length);
                else
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 5429ca59125b..2fb5e53e927f 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -54,6 +54,7 @@ enum evm_ima_xattr_type {
        IMA_XATTR_DIGEST = 0x01,
        EVM_XATTR_HMAC,
        EVM_IMA_XATTR_DIGSIG,
+        IMA_XATTR_DIGEST_NG,
 };
 struct evm_ima_xattr_data {
@@ -66,7 +67,17 @@ struct evm_ima_xattr_data {
 struct ima_digest_data {
        u8 algo;
        u8 length;
-        u8 type;
+        union {
+                struct {
+                        u8 unused;
+                        u8 type;
+                } sha1;
+                struct {
+                        u8 type;
+                        u8 algo;
+                } ng;
+                u8 data[2];
+        } xattr;
        u8 digest[0];
 } __packed;
author	Dmitry Kasatkin <d.kasatkin@samsung.com>	2013-08-12 04:22:51 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2013-10-26 21:32:55 -0400
commit	3ea7a56067e663278470c04fd655adf809e72d4d (patch)
tree	8216b30887dc86cf7594f6fd1cc729b7eda28c0a /security/integrity
parent	e7a2ad7eb6f48ad80c70a22dd8167fb34b409466 (diff)

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 116630ca5ff3..734e9468aca0 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c
@@ -15,6 +15,7 @@
15	#include <linux/magic.h>	15	#include <linux/magic.h>
16	#include <linux/ima.h>	16	#include <linux/ima.h>
17	#include <linux/evm.h>	17	#include <linux/evm.h>
		18	#include <crypto/hash_info.h>
18		19
19	#include "ima.h"	20	#include "ima.h"
20		21
@@ -45,10 +46,22 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
45	static int ima_fix_xattr(struct dentry *dentry,	46	static int ima_fix_xattr(struct dentry *dentry,
46	struct integrity_iint_cache *iint)	47	struct integrity_iint_cache *iint)
47	{	48	{
48	iint->ima_hash->type = IMA_XATTR_DIGEST;	49	int rc, offset;
49	return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,	50	u8 algo = iint->ima_hash->algo;
50	&iint->ima_hash->type,	51
51	1 + iint->ima_hash->length, 0);	52	if (algo <= HASH_ALGO_SHA1) {
		53	offset = 1;
		54	iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
		55	} else {
		56	offset = 0;
		57	iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
		58	iint->ima_hash->xattr.ng.algo = algo;
		59	}
		60	rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
		61	&iint->ima_hash->xattr.data[offset],
		62	(sizeof(iint->ima_hash->xattr) - offset) +
		63	iint->ima_hash->length, 0);
		64	return rc;
52	}	65	}
53		66
54	/* Return specific func appraised cached result */	67	/* Return specific func appraised cached result */
@@ -112,15 +125,31 @@ void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
112	{	125	{
113	struct signature_v2_hdr *sig;	126	struct signature_v2_hdr *sig;
114		127
115	if (!xattr_value \|\| xattr_len < 0 \|\| xattr_len <= 1 + sizeof(*sig))	128	if (!xattr_value \|\| xattr_len < 2)
116	return;	129	return;
117		130
118	sig = (typeof(sig)) xattr_value->digest;	131	switch (xattr_value->type) {
119		132	case EVM_IMA_XATTR_DIGSIG:
120	if (xattr_value->type != EVM_IMA_XATTR_DIGSIG \|\| sig->version != 2)	133	sig = (typeof(sig))xattr_value;
121	return;	134	if (sig->version != 2 \|\| xattr_len <= sizeof(*sig))
122		135	return;
123	hash->algo = sig->hash_algo;	136	hash->algo = sig->hash_algo;
		137	break;
		138	case IMA_XATTR_DIGEST_NG:
		139	hash->algo = xattr_value->digest[0];
		140	break;
		141	case IMA_XATTR_DIGEST:
		142	/* this is for backward compatibility */
		143	if (xattr_len == 21) {
		144	unsigned int zero = 0;
		145	if (!memcmp(&xattr_value->digest[16], &zero, 4))
		146	hash->algo = HASH_ALGO_MD5;
		147	else
		148	hash->algo = HASH_ALGO_SHA1;
		149	} else if (xattr_len == 17)
		150	hash->algo = HASH_ALGO_MD5;
		151	break;
		152	}
124	}	153	}
125		154
126	int ima_read_xattr(struct dentry *dentry,	155	int ima_read_xattr(struct dentry *dentry,
@@ -153,7 +182,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
153	enum integrity_status status = INTEGRITY_UNKNOWN;	182	enum integrity_status status = INTEGRITY_UNKNOWN;
154	const char *op = "appraise_data";	183	const char *op = "appraise_data";
155	char *cause = "unknown";	184	char *cause = "unknown";
156	int rc = xattr_len;	185	int rc = xattr_len, hash_start = 0;
157		186
158	if (!ima_appraise)	187	if (!ima_appraise)
159	return 0;	188	return 0;
@@ -180,17 +209,21 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
180	goto out;	209	goto out;
181	}	210	}
182	switch (xattr_value->type) {	211	switch (xattr_value->type) {
		212	case IMA_XATTR_DIGEST_NG:
		213	/* first byte contains algorithm id */
		214	hash_start = 1;
183	case IMA_XATTR_DIGEST:	215	case IMA_XATTR_DIGEST:
184	if (iint->flags & IMA_DIGSIG_REQUIRED) {	216	if (iint->flags & IMA_DIGSIG_REQUIRED) {
185	cause = "IMA signature required";	217	cause = "IMA signature required";
186	status = INTEGRITY_FAIL;	218	status = INTEGRITY_FAIL;
187	break;	219	break;
188	}	220	}
189	if (xattr_len - 1 >= iint->ima_hash->length)	221	if (xattr_len - sizeof(xattr_value->type) - hash_start >=
		222	iint->ima_hash->length)
190	/* xattr length may be longer. md5 hash in previous	223	/* xattr length may be longer. md5 hash in previous
191	version occupied 20 bytes in xattr, instead of 16	224	version occupied 20 bytes in xattr, instead of 16
192	*/	225	*/
193	rc = memcmp(xattr_value->digest,	226	rc = memcmp(&xattr_value->digest[hash_start],
194	iint->ima_hash->digest,	227	iint->ima_hash->digest,
195	iint->ima_hash->length);	228	iint->ima_hash->length);
196	else	229	else


diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 5429ca59125b..2fb5e53e927f 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h
@@ -54,6 +54,7 @@ enum evm_ima_xattr_type {
54	IMA_XATTR_DIGEST = 0x01,	54	IMA_XATTR_DIGEST = 0x01,
55	EVM_XATTR_HMAC,	55	EVM_XATTR_HMAC,
56	EVM_IMA_XATTR_DIGSIG,	56	EVM_IMA_XATTR_DIGSIG,
		57	IMA_XATTR_DIGEST_NG,
57	};	58	};
58		59
59	struct evm_ima_xattr_data {	60	struct evm_ima_xattr_data {
@@ -66,7 +67,17 @@ struct evm_ima_xattr_data {
66	struct ima_digest_data {	67	struct ima_digest_data {
67	u8 algo;	68	u8 algo;
68	u8 length;	69	u8 length;
69	u8 type;	70	union {
		71	struct {
		72	u8 unused;
		73	u8 type;
		74	} sha1;
		75	struct {
		76	u8 type;
		77	u8 algo;
		78	} ng;
		79	u8 data[2];
		80	} xattr;
70	u8 digest[0];	81	u8 digest[0];
71	} __packed;	82	} __packed;
72		83