diff options
Diffstat (limited to 'security/integrity/ima')
| -rw-r--r-- | security/integrity/ima/ima_api.c | 4 | ||||
| -rw-r--r-- | security/integrity/ima/ima_queue.c | 17 |
2 files changed, 14 insertions, 7 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 0d50df04ccc4..88a2788b981d 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
| @@ -178,8 +178,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, | |||
| 178 | strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX); | 178 | strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX); |
| 179 | 179 | ||
| 180 | result = ima_store_template(entry, violation, inode); | 180 | result = ima_store_template(entry, violation, inode); |
| 181 | if (!result) | 181 | if (!result || result == -EEXIST) |
| 182 | iint->flags |= IMA_MEASURED; | 182 | iint->flags |= IMA_MEASURED; |
| 183 | else | 183 | if (result < 0) |
| 184 | kfree(entry); | 184 | kfree(entry); |
| 185 | } | 185 | } |
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index 8e28f04a5e2e..55a6271bce7a 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c | |||
| @@ -23,6 +23,8 @@ | |||
| 23 | #include <linux/slab.h> | 23 | #include <linux/slab.h> |
| 24 | #include "ima.h" | 24 | #include "ima.h" |
| 25 | 25 | ||
| 26 | #define AUDIT_CAUSE_LEN_MAX 32 | ||
| 27 | |||
| 26 | LIST_HEAD(ima_measurements); /* list of all measurements */ | 28 | LIST_HEAD(ima_measurements); /* list of all measurements */ |
| 27 | 29 | ||
| 28 | /* key: inode (before secure-hashing a file) */ | 30 | /* key: inode (before secure-hashing a file) */ |
| @@ -94,7 +96,8 @@ static int ima_pcr_extend(const u8 *hash) | |||
| 94 | 96 | ||
| 95 | result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash); | 97 | result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash); |
| 96 | if (result != 0) | 98 | if (result != 0) |
| 97 | pr_err("IMA: Error Communicating to TPM chip\n"); | 99 | pr_err("IMA: Error Communicating to TPM chip, result: %d\n", |
| 100 | result); | ||
| 98 | return result; | 101 | return result; |
| 99 | } | 102 | } |
| 100 | 103 | ||
| @@ -106,14 +109,16 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, | |||
| 106 | { | 109 | { |
| 107 | u8 digest[IMA_DIGEST_SIZE]; | 110 | u8 digest[IMA_DIGEST_SIZE]; |
| 108 | const char *audit_cause = "hash_added"; | 111 | const char *audit_cause = "hash_added"; |
| 112 | char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; | ||
| 109 | int audit_info = 1; | 113 | int audit_info = 1; |
| 110 | int result = 0; | 114 | int result = 0, tpmresult = 0; |
| 111 | 115 | ||
| 112 | mutex_lock(&ima_extend_list_mutex); | 116 | mutex_lock(&ima_extend_list_mutex); |
| 113 | if (!violation) { | 117 | if (!violation) { |
| 114 | memcpy(digest, entry->digest, sizeof digest); | 118 | memcpy(digest, entry->digest, sizeof digest); |
| 115 | if (ima_lookup_digest_entry(digest)) { | 119 | if (ima_lookup_digest_entry(digest)) { |
| 116 | audit_cause = "hash_exists"; | 120 | audit_cause = "hash_exists"; |
| 121 | result = -EEXIST; | ||
| 117 | goto out; | 122 | goto out; |
| 118 | } | 123 | } |
| 119 | } | 124 | } |
| @@ -128,9 +133,11 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, | |||
| 128 | if (violation) /* invalidate pcr */ | 133 | if (violation) /* invalidate pcr */ |
| 129 | memset(digest, 0xff, sizeof digest); | 134 | memset(digest, 0xff, sizeof digest); |
| 130 | 135 | ||
| 131 | result = ima_pcr_extend(digest); | 136 | tpmresult = ima_pcr_extend(digest); |
| 132 | if (result != 0) { | 137 | if (tpmresult != 0) { |
| 133 | audit_cause = "TPM error"; | 138 | snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)", |
| 139 | tpmresult); | ||
| 140 | audit_cause = tpm_audit_cause; | ||
| 134 | audit_info = 0; | 141 | audit_info = 0; |
| 135 | } | 142 | } |
| 136 | out: | 143 | out: |