aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@polito.it>2014-10-13 08:08:42 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-10-13 08:39:02 -0400
commitc2426d2ad5027397342107b7ff094aa9b234acb8 (patch)
treea94bfc6a99f121a68890388bebbdf8dcc7299ad7 /security
parent1bd7face74391ddfc568b3e638f156da1ed77aa6 (diff)
ima: added support for new kernel cmdline parameter ima_template_fmt
This patch allows users to provide a custom template format through the new kernel command line parameter 'ima_template_fmt'. If the supplied format is not valid, IMA uses the default template descriptor. Changelog: - v3: - added check for 'fields' and 'num_fields' in template_desc_init_fields() (suggested by Mimi Zohar) - v2: - using template_desc_init_fields() to validate a format string (Roberto Sassu) - updated documentation by stating that only the chosen template descriptor is initialized (Roberto Sassu) - v1: - simplified code of ima_template_fmt_setup() (Roberto Sassu, suggested by Mimi Zohar) Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_template.c39
1 files changed, 34 insertions, 5 deletions
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 65117ba06809..0b7404ebfa80 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -24,6 +24,7 @@ static struct ima_template_desc defined_templates[] = {
24 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, 24 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
25 {.name = "ima-ng", .fmt = "d-ng|n-ng"}, 25 {.name = "ima-ng", .fmt = "d-ng|n-ng"},
26 {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, 26 {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"},
27 {.name = "", .fmt = ""}, /* placeholder for a custom format */
27}; 28};
28 29
29static struct ima_template_field supported_fields[] = { 30static struct ima_template_field supported_fields[] = {
@@ -41,12 +42,18 @@ static struct ima_template_field supported_fields[] = {
41 42
42static struct ima_template_desc *ima_template; 43static struct ima_template_desc *ima_template;
43static struct ima_template_desc *lookup_template_desc(const char *name); 44static struct ima_template_desc *lookup_template_desc(const char *name);
45static int template_desc_init_fields(const char *template_fmt,
46 struct ima_template_field ***fields,
47 int *num_fields);
44 48
45static int __init ima_template_setup(char *str) 49static int __init ima_template_setup(char *str)
46{ 50{
47 struct ima_template_desc *template_desc; 51 struct ima_template_desc *template_desc;
48 int template_len = strlen(str); 52 int template_len = strlen(str);
49 53
54 if (ima_template)
55 return 1;
56
50 /* 57 /*
51 * Verify that a template with the supplied name exists. 58 * Verify that a template with the supplied name exists.
52 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE. 59 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
@@ -73,6 +80,25 @@ static int __init ima_template_setup(char *str)
73} 80}
74__setup("ima_template=", ima_template_setup); 81__setup("ima_template=", ima_template_setup);
75 82
83static int __init ima_template_fmt_setup(char *str)
84{
85 int num_templates = ARRAY_SIZE(defined_templates);
86
87 if (ima_template)
88 return 1;
89
90 if (template_desc_init_fields(str, NULL, NULL) < 0) {
91 pr_err("format string '%s' not valid, using template %s\n",
92 str, CONFIG_IMA_DEFAULT_TEMPLATE);
93 return 1;
94 }
95
96 defined_templates[num_templates - 1].fmt = str;
97 ima_template = defined_templates + num_templates - 1;
98 return 1;
99}
100__setup("ima_template_fmt=", ima_template_fmt_setup);
101
76static struct ima_template_desc *lookup_template_desc(const char *name) 102static struct ima_template_desc *lookup_template_desc(const char *name)
77{ 103{
78 int i; 104 int i;
@@ -146,12 +172,15 @@ static int template_desc_init_fields(const char *template_fmt,
146 } 172 }
147 } 173 }
148 174
149 *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL); 175 if (fields && num_fields) {
150 if (*fields == NULL) 176 *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL);
151 return -ENOMEM; 177 if (*fields == NULL)
178 return -ENOMEM;
179
180 memcpy(*fields, found_fields, i * sizeof(*fields));
181 *num_fields = i;
182 }
152 183
153 memcpy(*fields, found_fields, i * sizeof(*fields));
154 *num_fields = i;
155 return 0; 184 return 0;
156} 185}
157 186