From: KP Singh <kpsingh@chromium.org>
To: Florent Revest <revest@chromium.org>
Cc: linux-integrity@vger.kernel.org, kpsingh@chromium.org,
mjg59@google.com, zohar@linux.ibm.com,
nramas@linux.microsoft.com, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Florent Revest <revest@google.com>
Subject: Re: [PATCH v3] ima: add the ability to query the cached hash of a given file
Date: Mon, 13 Jan 2020 11:51:00 +0100 [thread overview]
Message-ID: <20200113105100.GA31000@google.com> (raw)
In-Reply-To: <20200113094244.26678-1-revest@chromium.org>
On 13-Jan 10:42, Florent Revest wrote:
> From: Florent Revest <revest@google.com>
>
> This allows other parts of the kernel (perhaps a stacked LSM allowing
> system monitoring, eg. the proposed KRSI LSM [1]) to retrieve the hash
> of a given file from IMA if it's present in the iint cache.
>
> It's true that the existence of the hash means that it's also in the
> audit logs or in /sys/kernel/security/ima/ascii_runtime_measurements,
> but it can be difficult to pull that information out for every
> subsequent exec. This is especially true if a given host has been up
> for a long time and the file was first measured a long time ago.
>
> It should be kept in mind that this function gives access to cached
> entries which can be removed, for instance on security_inode_free().
>
> This is based on Peter Moody's patch:
> https://sourceforge.net/p/linux-ima/mailman/message/33036180/
>
> [1] https://lkml.org/lkml/2019/9/10/393
>
> Signed-off-by: Florent Revest <revest@google.com>
Reviewed-by: KP Singh <kpsingh@chromium.org>
> ---
> include/linux/ima.h | 6 ++++
> security/integrity/ima/ima_main.c | 49 +++++++++++++++++++++++++++++++
> 2 files changed, 55 insertions(+)
>
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index f4644c54f648..1659217e9b60 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -23,6 +23,7 @@ extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
> extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
> enum kernel_read_file_id id);
> extern void ima_post_path_mknod(struct dentry *dentry);
> +extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);
> extern void ima_kexec_cmdline(const void *buf, int size);
>
> #ifdef CONFIG_IMA_KEXEC
> @@ -91,6 +92,11 @@ static inline void ima_post_path_mknod(struct dentry *dentry)
> return;
> }
>
> +static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> static inline void ima_kexec_cmdline(const void *buf, int size) {}
> #endif /* CONFIG_IMA */
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 2272c3255c7d..9fe949c6a530 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -445,6 +445,55 @@ int ima_file_check(struct file *file, int mask)
> }
> EXPORT_SYMBOL_GPL(ima_file_check);
>
> +/**
> + * ima_file_hash - return the stored measurement if a file has been hashed and
> + * is in the iint cache.
> + * @file: pointer to the file
> + * @buf: buffer in which to store the hash
> + * @buf_size: length of the buffer
> + *
> + * On success, return the hash algorithm (as defined in the enum hash_algo).
> + * If buf is not NULL, this function also outputs the hash into buf.
> + * If the hash is larger than buf_size, then only buf_size bytes will be copied.
> + * It generally just makes sense to pass a buffer capable of holding the largest
> + * possible hash: IMA_MAX_DIGEST_SIZE.
> + * The file hash returned is based on the entire file, including the appended
> + * signature.
> + *
> + * If IMA is disabled or if no measurement is available, return -EOPNOTSUPP.
> + * If the parameters are incorrect, return -EINVAL.
> + */
> +int ima_file_hash(struct file *file, char *buf, size_t buf_size)
> +{
> + struct inode *inode;
> + struct integrity_iint_cache *iint;
> + int hash_algo;
> +
> + if (!file)
> + return -EINVAL;
> +
> + if (!ima_policy_flag)
> + return -EOPNOTSUPP;
> +
> + inode = file_inode(file);
> + iint = integrity_iint_find(inode);
> + if (!iint)
> + return -EOPNOTSUPP;
> +
> + mutex_lock(&iint->mutex);
> + if (buf) {
> + size_t copied_size;
> +
> + copied_size = min_t(size_t, iint->ima_hash->length, buf_size);
> + memcpy(buf, iint->ima_hash->digest, copied_size);
> + }
> + hash_algo = iint->ima_hash->algo;
> + mutex_unlock(&iint->mutex);
> +
> + return hash_algo;
> +}
> +EXPORT_SYMBOL_GPL(ima_file_hash);
> +
> /**
> * ima_post_create_tmpfile - mark newly created tmpfile as new
> * @file : newly created tmpfile
> --
> 2.25.0.rc1.283.g88dfdc4193-goog
>
prev parent reply other threads:[~2020-01-13 10:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-13 9:42 [PATCH v3] ima: add the ability to query the cached hash of a given file Florent Revest
2020-01-13 10:51 ` KP Singh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200113105100.GA31000@google.com \
--to=kpsingh@chromium.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=nramas@linux.microsoft.com \
--cc=revest@chromium.org \
--cc=revest@google.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.