diff options
author | Roberto Sassu <roberto.sassu@polito.it> | 2014-10-13 08:08:42 -0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-10-13 08:39:02 -0400 |
commit | c2426d2ad5027397342107b7ff094aa9b234acb8 (patch) | |
tree | a94bfc6a99f121a68890388bebbdf8dcc7299ad7 /security | |
parent | 1bd7face74391ddfc568b3e638f156da1ed77aa6 (diff) |
ima: added support for new kernel cmdline parameter ima_template_fmt
This patch allows users to provide a custom template format through the
new kernel command line parameter 'ima_template_fmt'. If the supplied
format is not valid, IMA uses the default template descriptor.
Changelog:
- v3:
- added check for 'fields' and 'num_fields' in
template_desc_init_fields() (suggested by Mimi Zohar)
- v2:
- using template_desc_init_fields() to validate a format string
(Roberto Sassu)
- updated documentation by stating that only the chosen template
descriptor is initialized (Roberto Sassu)
- v1:
- simplified code of ima_template_fmt_setup()
(Roberto Sassu, suggested by Mimi Zohar)
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_template.c | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index 65117ba06809..0b7404ebfa80 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c | |||
@@ -24,6 +24,7 @@ static struct ima_template_desc defined_templates[] = { | |||
24 | {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, | 24 | {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, |
25 | {.name = "ima-ng", .fmt = "d-ng|n-ng"}, | 25 | {.name = "ima-ng", .fmt = "d-ng|n-ng"}, |
26 | {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, | 26 | {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, |
27 | {.name = "", .fmt = ""}, /* placeholder for a custom format */ | ||
27 | }; | 28 | }; |
28 | 29 | ||
29 | static struct ima_template_field supported_fields[] = { | 30 | static struct ima_template_field supported_fields[] = { |
@@ -41,12 +42,18 @@ static struct ima_template_field supported_fields[] = { | |||
41 | 42 | ||
42 | static struct ima_template_desc *ima_template; | 43 | static struct ima_template_desc *ima_template; |
43 | static struct ima_template_desc *lookup_template_desc(const char *name); | 44 | static struct ima_template_desc *lookup_template_desc(const char *name); |
45 | static int template_desc_init_fields(const char *template_fmt, | ||
46 | struct ima_template_field ***fields, | ||
47 | int *num_fields); | ||
44 | 48 | ||
45 | static int __init ima_template_setup(char *str) | 49 | static int __init ima_template_setup(char *str) |
46 | { | 50 | { |
47 | struct ima_template_desc *template_desc; | 51 | struct ima_template_desc *template_desc; |
48 | int template_len = strlen(str); | 52 | int template_len = strlen(str); |
49 | 53 | ||
54 | if (ima_template) | ||
55 | return 1; | ||
56 | |||
50 | /* | 57 | /* |
51 | * Verify that a template with the supplied name exists. | 58 | * Verify that a template with the supplied name exists. |
52 | * If not, use CONFIG_IMA_DEFAULT_TEMPLATE. | 59 | * If not, use CONFIG_IMA_DEFAULT_TEMPLATE. |
@@ -73,6 +80,25 @@ static int __init ima_template_setup(char *str) | |||
73 | } | 80 | } |
74 | __setup("ima_template=", ima_template_setup); | 81 | __setup("ima_template=", ima_template_setup); |
75 | 82 | ||
83 | static int __init ima_template_fmt_setup(char *str) | ||
84 | { | ||
85 | int num_templates = ARRAY_SIZE(defined_templates); | ||
86 | |||
87 | if (ima_template) | ||
88 | return 1; | ||
89 | |||
90 | if (template_desc_init_fields(str, NULL, NULL) < 0) { | ||
91 | pr_err("format string '%s' not valid, using template %s\n", | ||
92 | str, CONFIG_IMA_DEFAULT_TEMPLATE); | ||
93 | return 1; | ||
94 | } | ||
95 | |||
96 | defined_templates[num_templates - 1].fmt = str; | ||
97 | ima_template = defined_templates + num_templates - 1; | ||
98 | return 1; | ||
99 | } | ||
100 | __setup("ima_template_fmt=", ima_template_fmt_setup); | ||
101 | |||
76 | static struct ima_template_desc *lookup_template_desc(const char *name) | 102 | static struct ima_template_desc *lookup_template_desc(const char *name) |
77 | { | 103 | { |
78 | int i; | 104 | int i; |
@@ -146,12 +172,15 @@ static int template_desc_init_fields(const char *template_fmt, | |||
146 | } | 172 | } |
147 | } | 173 | } |
148 | 174 | ||
149 | *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL); | 175 | if (fields && num_fields) { |
150 | if (*fields == NULL) | 176 | *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL); |
151 | return -ENOMEM; | 177 | if (*fields == NULL) |
178 | return -ENOMEM; | ||
179 | |||
180 | memcpy(*fields, found_fields, i * sizeof(*fields)); | ||
181 | *num_fields = i; | ||
182 | } | ||
152 | 183 | ||
153 | memcpy(*fields, found_fields, i * sizeof(*fields)); | ||
154 | *num_fields = i; | ||
155 | return 0; | 184 | return 0; |
156 | } | 185 | } |
157 | 186 | ||