diff options
| author | Roberto Sassu <roberto.sassu@polito.it> | 2013-11-08 13:21:39 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-11-25 07:26:28 -0500 |
| commit | b6f8f16f41d92861621b043389ef49de1c52d613 (patch) | |
| tree | 4aa54f988efc980c6f5ec7845fda7761fa667c16 /security | |
| parent | 4c1cc40a2d49500d84038ff751bc6cd183e729b5 (diff) | |
ima: do not include field length in template digest calc for ima template
To maintain compatibility with userspace tools, the field length must not
be included in the template digest calculation for the 'ima' template.
Fixes commit: a71dc65 ima: switch to new template management mechanism
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/ima.h | 3 | ||||
| -rw-r--r-- | security/integrity/ima/ima_api.c | 1 | ||||
| -rw-r--r-- | security/integrity/ima/ima_crypto.c | 17 |
3 files changed, 15 insertions, 6 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index bf03c6a16cc8..a21cf706d213 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
| @@ -97,7 +97,8 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, | |||
| 97 | const char *op, struct inode *inode, | 97 | const char *op, struct inode *inode, |
| 98 | const unsigned char *filename); | 98 | const unsigned char *filename); |
| 99 | int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); | 99 | int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); |
| 100 | int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields, | 100 | int ima_calc_field_array_hash(struct ima_field_data *field_data, |
| 101 | struct ima_template_desc *desc, int num_fields, | ||
| 101 | struct ima_digest_data *hash); | 102 | struct ima_digest_data *hash); |
| 102 | int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); | 103 | int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); |
| 103 | void ima_add_violation(struct file *file, const unsigned char *filename, | 104 | void ima_add_violation(struct file *file, const unsigned char *filename, |
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 0e7540863fc2..80374842fe0b 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
| @@ -94,6 +94,7 @@ int ima_store_template(struct ima_template_entry *entry, | |||
| 94 | /* this function uses default algo */ | 94 | /* this function uses default algo */ |
| 95 | hash.hdr.algo = HASH_ALGO_SHA1; | 95 | hash.hdr.algo = HASH_ALGO_SHA1; |
| 96 | result = ima_calc_field_array_hash(&entry->template_data[0], | 96 | result = ima_calc_field_array_hash(&entry->template_data[0], |
| 97 | entry->template_desc, | ||
| 97 | num_fields, &hash.hdr); | 98 | num_fields, &hash.hdr); |
| 98 | if (result < 0) { | 99 | if (result < 0) { |
| 99 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, | 100 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, |
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 676e0292dfec..fdf60def52e9 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c | |||
| @@ -140,6 +140,7 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash) | |||
| 140 | * Calculate the hash of template data | 140 | * Calculate the hash of template data |
| 141 | */ | 141 | */ |
| 142 | static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, | 142 | static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, |
| 143 | struct ima_template_desc *td, | ||
| 143 | int num_fields, | 144 | int num_fields, |
| 144 | struct ima_digest_data *hash, | 145 | struct ima_digest_data *hash, |
| 145 | struct crypto_shash *tfm) | 146 | struct crypto_shash *tfm) |
| @@ -160,9 +161,13 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, | |||
| 160 | return rc; | 161 | return rc; |
| 161 | 162 | ||
| 162 | for (i = 0; i < num_fields; i++) { | 163 | for (i = 0; i < num_fields; i++) { |
| 163 | rc = crypto_shash_update(&desc.shash, | 164 | if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) { |
| 164 | (const u8 *) &field_data[i].len, | 165 | rc = crypto_shash_update(&desc.shash, |
| 165 | sizeof(field_data[i].len)); | 166 | (const u8 *) &field_data[i].len, |
| 167 | sizeof(field_data[i].len)); | ||
| 168 | if (rc) | ||
| 169 | break; | ||
| 170 | } | ||
| 166 | rc = crypto_shash_update(&desc.shash, field_data[i].data, | 171 | rc = crypto_shash_update(&desc.shash, field_data[i].data, |
| 167 | field_data[i].len); | 172 | field_data[i].len); |
| 168 | if (rc) | 173 | if (rc) |
| @@ -175,7 +180,8 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, | |||
| 175 | return rc; | 180 | return rc; |
| 176 | } | 181 | } |
| 177 | 182 | ||
| 178 | int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields, | 183 | int ima_calc_field_array_hash(struct ima_field_data *field_data, |
| 184 | struct ima_template_desc *desc, int num_fields, | ||
| 179 | struct ima_digest_data *hash) | 185 | struct ima_digest_data *hash) |
| 180 | { | 186 | { |
| 181 | struct crypto_shash *tfm; | 187 | struct crypto_shash *tfm; |
| @@ -185,7 +191,8 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields, | |||
| 185 | if (IS_ERR(tfm)) | 191 | if (IS_ERR(tfm)) |
| 186 | return PTR_ERR(tfm); | 192 | return PTR_ERR(tfm); |
| 187 | 193 | ||
| 188 | rc = ima_calc_field_array_hash_tfm(field_data, num_fields, hash, tfm); | 194 | rc = ima_calc_field_array_hash_tfm(field_data, desc, num_fields, |
| 195 | hash, tfm); | ||
| 189 | 196 | ||
| 190 | ima_free_tfm(tfm); | 197 | ima_free_tfm(tfm); |
| 191 | 198 | ||