From: Prakhar Srivastava <prsriva02@gmail.com>
To: linux-integrity@vger.kernel.org,
linux-secuirty-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: zohar@linux.ibm.com, ebiederm@xmission.com, vgoyal@redhat.com,
nayna@linux.ibm.com, Prakhar Srivastava <prsriva02@gmail.com>
Subject: [PATCH v3 2/4] add the buffer to the xattr
Date: Mon, 29 Apr 2019 14:47:41 -0700 [thread overview]
Message-ID: <20190429214743.4625-3-prsriva02@gmail.com> (raw)
In-Reply-To: <20190429214743.4625-1-prsriva02@gmail.com>
From: Prakhar Srivastava <prsriva02@gmail.com>
add the buffer to the xattr for a buffer case
Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com>
---
security/integrity/ima/ima_main.c | 37 ++++++++++++++++++++---
security/integrity/ima/ima_template_lib.c | 3 +-
security/integrity/integrity.h | 1 +
3 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 3db3f3966ac7..7362952ab273 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -603,16 +603,37 @@ static int process_buffer_measurement(const void *buff, int size,
struct ima_digest_data hdr;
char digest[IMA_MAX_DIGEST_SIZE];
} hash;
+ struct buffer_xattr {
+ enum evm_ima_xattr_type type;
+ u16 buff_length;
+ unsigned char buff[0];
+ };
+
int violation = 0;
int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
+ struct buffer_xattr *buffer_event_data = NULL;
+ int alloc_length = 0;
+ int action = 0;
if (!buff || size == 0 || !eventname)
goto err_out;
- if (ima_get_action(NULL, cred, secid, 0, BUFFER_CHECK, &pcr)
- != IMA_MEASURE)
+ action = ima_get_action(NULL, cred, secid, 0, BUFFER_CHECK, &pcr);
+ if (!(action & IMA_AUDIT) && !(action & IMA_MEASURE))
+ goto err_out;
+
+ alloc_length = sizeof(struct buffer_xattr) + size;
+ buffer_event_data = kzalloc(alloc_length, GFP_KERNEL);
+ if (!buffer_event_data)
goto err_out;
+ buffer_event_data->type = IMA_XATTR_BUFFER;
+ buffer_event_data->buff_length = size;
+ memcpy(buffer_event_data->buff, buff, size);
+
+ event_data.xattr_value = (struct evm_ima_xattr_data *)buffer_event_data;
+ event_data.xattr_len = alloc_length;
+
memset(iint, 0, sizeof(*iint));
memset(&hash, 0, sizeof(hash));
@@ -630,17 +651,23 @@ static int process_buffer_measurement(const void *buff, int size,
if (ret < 0)
goto err_out;
- ret = ima_store_template(entry, violation, NULL,
+ if (action & IMA_MEASURE)
+ ret = ima_store_template(entry, violation, NULL,
buff, pcr);
+
if (ret < 0) {
ima_free_template_entry(entry);
goto err_out;
}
- return 0;
+ if (action & IMA_AUDIT)
+ ima_audit_measurement(iint, event_data.filename);
+
+ ret = 0;
err_out:
- pr_err("Error in adding buffer measure: %d\n", ret);
+ kfree(buffer_event_data);
+ pr_debug("%s return: %d\n", __func__, ret);
return ret;
}
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 513b457ae900..d22de3d8fcd9 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -383,7 +383,8 @@ int ima_eventsig_init(struct ima_event_data *event_data,
{
struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
- if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
+ if ((!xattr_value) || !((xattr_value->type == EVM_IMA_XATTR_DIGSIG) ||
+ (xattr_value->type == IMA_XATTR_BUFFER)))
return 0;
return ima_write_template_field_data(xattr_value, event_data->xattr_len,
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 7de59f44cba3..14ef904f091d 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -74,6 +74,7 @@ enum evm_ima_xattr_type {
EVM_IMA_XATTR_DIGSIG,
IMA_XATTR_DIGEST_NG,
EVM_XATTR_PORTABLE_DIGSIG,
+ IMA_XATTR_BUFFER,
IMA_XATTR_LAST
};
--
2.19.1
next prev parent reply other threads:[~2019-04-29 21:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-29 21:47 [PATCH v3 0/4] Add a new ima_hook buffer_check to measure buffers critical for attestation Prakhar Srivastava
2019-04-29 21:47 ` [PATCH v3 1/4] added a new ima policy func buffer_check, and ima hook to measure the buffer hash into ima Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
2019-04-29 21:47 ` Prakhar Srivastava [this message]
2019-05-02 16:52 ` [PATCH v3 2/4] add the buffer to the xattr Mimi Zohar
2019-04-29 21:47 ` [PATCH v3 3/4] add kexec_cmdline used to ima Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
2019-05-02 16:58 ` Al Viro
2019-04-29 21:47 ` [PATCH v3 4/4] added LSM hook to call ima_buffer_check Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190429214743.4625-3-prsriva02@gmail.com \
--to=prsriva02@gmail.com \
--cc=ebiederm@xmission.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-secuirty-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.