[RFC][PATCH 0/4] ima: add support for custom template formats

[RFC][PATCH 0/4] ima: add support for custom template formats

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 1791 bytes --]

Hi everyone

currently accepted patches for the new template management mechanism allow to
choose among a list of supported templates, statically defined in the code.
This functionality is not flexible enough as users may want to include
in their measurements list only information needed and not use predefined
combinations.

For this reason, this patch set introduce the new kernel command line parameter
'ima_template_fmt' to specify a custom template format at boot time,
i.e. a string of template fields identifiers concatenated with the '|'
separator character. The complete list of defined template fields can be
found in Documentation/security/IMA-templates.txt.

The format string is checked at the very beginning in the setup function
ima_template_fmt_setup() so that, if it is wrong, IMA can go back to the
default template, selected through a kernel configuration option.

To allow userspace tools parse a measurements list with a custom format, IMA
provides as template name the same format string provided by users at boot
time, so that tools know which information are included in a entry and extract
them if they can handle listed template fields.

Roberto Sassu


Roberto Sassu (4):
  ima: added error messages to template-related functions
  ima: make a copy of template_fmt in template_desc_init_fields()
  ima: display template format in meas. list if template name length is
    zero
  ima: added support for new kernel cmdline parameter ima_template_fmt

 Documentation/kernel-parameters.txt      |  4 ++
 Documentation/security/IMA-templates.txt | 29 +++++++------
 security/integrity/ima/ima_fs.c          | 18 ++++++--
 security/integrity/ima/ima_template.c    | 71 ++++++++++++++++++++++++++++++--
 4 files changed, 100 insertions(+), 22 deletions(-)

-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[RFC][PATCH 1/4] ima: added error messages to template-related functions

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 1609 bytes --]

This patch adds some error messages to inform users about the following
events: template descriptor not found, template field not found, and
template initialization failed.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
---
 security/integrity/ima/ima_template.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 4e5da99..7bcff5c 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -49,8 +49,11 @@ static int __init ima_template_setup(char *str)
 	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
 	 */
 	template_desc = lookup_template_desc(str);
-	if (!template_desc)
+	if (!template_desc) {
+		pr_err("IMA: template %s not found, using %s\n",
+		       str, CONFIG_IMA_DEFAULT_TEMPLATE);
 		return 1;
+	}
 
 	/*
 	 * Verify whether the current hash algorithm is supported
@@ -127,6 +130,7 @@ static int template_desc_init_fields(char *template_fmt,
 		struct ima_template_field *f = lookup_template_field(c);
 
 		if (!f) {
+			pr_err("IMA: field '%s' not found\n", c);
 			result = -ENOENT;
 			goto out;
 		}
@@ -152,8 +156,12 @@ static int init_defined_templates(void)
 		result = template_desc_init_fields(template->fmt,
 						   &(template->fields),
 						   &(template->num_fields));
-		if (result < 0)
+		if (result < 0) {
+			pr_err("IMA: template %s init failed, result: %d\n",
+			       (strlen(template->name) ?
+			       template->name : template->fmt), result);
 			return result;
+		}
 	}
 	return result;
 }
-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[RFC][PATCH 2/4] ima: make a copy of template_fmt in template_desc_init_fields()

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 1521 bytes --]

This patch makes a copy of the 'template_fmt' function argument so that
the latter will not be modified by strsep(), which does the splitting by
replacing the given separator with '\0'.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
---
 security/integrity/ima/ima_template.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 7bcff5c..bb33576 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -113,13 +113,19 @@ static int template_desc_init_fields(char *template_fmt,
 				     struct ima_template_field ***fields,
 				     int *num_fields)
 {
-	char *c, *template_fmt_ptr = template_fmt;
+	char *c, *template_fmt_ptr, *template_fmt_copy = NULL;
 	int template_num_fields = template_fmt_size(template_fmt);
 	int i, result = 0;
 
 	if (template_num_fields > IMA_TEMPLATE_NUM_FIELDS_MAX)
 		return -EINVAL;
 
+	/* copying is needed as strsep() modifies the original buffer */
+	template_fmt_copy = kstrdup(template_fmt, GFP_KERNEL);
+	if (template_fmt_copy == NULL)
+		return -ENOMEM;
+
+	template_fmt_ptr = template_fmt_copy;
 	*fields = kzalloc(template_num_fields * sizeof(*fields), GFP_KERNEL);
 	if (*fields == NULL) {
 		result = -ENOMEM;
@@ -139,6 +145,7 @@ static int template_desc_init_fields(char *template_fmt,
 	*num_fields = i;
 	return 0;
 out:
+	kfree(template_fmt_copy);
 	kfree(*fields);
 	*fields = NULL;
 	return result;
-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[RFC][PATCH 3/4] ima: display template format in meas. list if template name length is zero

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 3065 bytes --]

With the introduction of the 'ima_template_fmt' kernel cmdline parameter,
an user can define a new template descriptor with custom format. However,
in this case, userspace tools will be unable to parse the measurements
list because the new template is unknown. For this reason, this patch
modifies the current IMA behavior to display in the list the template
format instead of the name so that a tool can extract needed information
if it can handle listed fields.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
---
 security/integrity/ima/ima_fs.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index d47a7c8..6db74ff 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -118,6 +118,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
 	/* the list never shrinks, so we don't need a lock here */
 	struct ima_queue_entry *qe = v;
 	struct ima_template_entry *e;
+	char *template_name;
 	int namelen;
 	u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
 	int i;
@@ -127,6 +128,10 @@ static int ima_measurements_show(struct seq_file *m, void *v)
 	if (e == NULL)
 		return -1;
 
+	template_name = e->template_desc->name;
+	if (strlen(e->template_desc->name) == 0)
+		template_name = e->template_desc->fmt;
+
 	/*
 	 * 1st: PCRIndex
 	 * PCR used is always the same (config option) in
@@ -138,14 +143,14 @@ static int ima_measurements_show(struct seq_file *m, void *v)
 	ima_putc(m, e->digest, TPM_DIGEST_SIZE);
 
 	/* 3rd: template name size */
-	namelen = strlen(e->template_desc->name);
+	namelen = strlen(template_name);
 	ima_putc(m, &namelen, sizeof namelen);
 
 	/* 4th:  template name */
-	ima_putc(m, e->template_desc->name, namelen);
+	ima_putc(m, template_name, namelen);
 
 	/* 5th:  template length (except for 'ima' template) */
-	if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
+	if (strcmp(template_name, IMA_TEMPLATE_IMA_NAME) != 0)
 		ima_putc(m, &e->template_data_len,
 			 sizeof(e->template_data_len));
 
@@ -190,6 +195,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
 	/* the list never shrinks, so we don't need a lock here */
 	struct ima_queue_entry *qe = v;
 	struct ima_template_entry *e;
+	char *template_name;
 	int i;
 
 	/* get entry */
@@ -197,6 +203,10 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
 	if (e == NULL)
 		return -1;
 
+	template_name = e->template_desc->name;
+	if (strlen(e->template_desc->name) == 0)
+		template_name = e->template_desc->fmt;
+
 	/* 1st: PCR used (config option) */
 	seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
 
@@ -204,7 +214,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
 	ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
 
 	/* 3th:  template name */
-	seq_printf(m, " %s", e->template_desc->name);
+	seq_printf(m, " %s", template_name);
 
 	/* 4th:  template specific data */
 	for (i = 0; i < e->template_desc->num_fields; i++) {
-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

Re: [RFC][PATCH 3/4] ima: display template format in meas. list if template name length is zero

[Mimi Zohar]

On Thu, 2013-11-07 at 15:00 +0100, Roberto Sassu wrote:
> With the introduction of the 'ima_template_fmt' kernel cmdline parameter,
> an user can define a new template descriptor with custom format. However,
> in this case, userspace tools will be unable to parse the measurements
> list because the new template is unknown. For this reason, this patch
> modifies the current IMA behavior to display in the list the template
> format instead of the name so that a tool can extract needed information
> if it can handle listed fields.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
> ---
>  security/integrity/ima/ima_fs.c | 18 ++++++++++++++----
>  1 file changed, 14 insertions(+), 4 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index d47a7c8..6db74ff 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -118,6 +118,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
>  	/* the list never shrinks, so we don't need a lock here */
>  	struct ima_queue_entry *qe = v;
>  	struct ima_template_entry *e;
> +	char *template_name;
>  	int namelen;
>  	u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
>  	int i;
> @@ -127,6 +128,10 @@ static int ima_measurements_show(struct seq_file *m, void *v)
>  	if (e == NULL)
>  		return -1;
> 
> +	template_name = e->template_desc->name;
> +	if (strlen(e->template_desc->name) == 0)
> +		template_name = e->template_desc->fmt;
> +

Hi Roberto,

The patch description unconditionally says, "this patch modifies the
current IMA behavior to display in the list the template format instead
of the name".  The code only uses the 'fmt', if the name doesn't exist.
Please update the patch description accordingly.

Nothing is wrong with the above syntax, but template_name could be
assigned once using a ternary conditional expression(?:), like:

	template_name = (strlen(e->template_desc->name) == 0) ?
		e->template_desc->name : e->template_desc->fmt;

thanks,

Mimi

>  	/*
>  	 * 1st: PCRIndex
>  	 * PCR used is always the same (config option) in
> @@ -138,14 +143,14 @@ static int ima_measurements_show(struct seq_file *m, void *v)
>  	ima_putc(m, e->digest, TPM_DIGEST_SIZE);
> 
>  	/* 3rd: template name size */
> -	namelen = strlen(e->template_desc->name);
> +	namelen = strlen(template_name);
>  	ima_putc(m, &namelen, sizeof namelen);
> 
>  	/* 4th:  template name */
> -	ima_putc(m, e->template_desc->name, namelen);
> +	ima_putc(m, template_name, namelen);
> 
>  	/* 5th:  template length (except for 'ima' template) */
> -	if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
> +	if (strcmp(template_name, IMA_TEMPLATE_IMA_NAME) != 0)
>  		ima_putc(m, &e->template_data_len,
>  			 sizeof(e->template_data_len));
> 
> @@ -190,6 +195,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
>  	/* the list never shrinks, so we don't need a lock here */
>  	struct ima_queue_entry *qe = v;
>  	struct ima_template_entry *e;
> +	char *template_name;
>  	int i;
> 
>  	/* get entry */
> @@ -197,6 +203,10 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
>  	if (e == NULL)
>  		return -1;
> 
> +	template_name = e->template_desc->name;
> +	if (strlen(e->template_desc->name) == 0)
> +		template_name = e->template_desc->fmt;
> +
>  	/* 1st: PCR used (config option) */
>  	seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
> 
> @@ -204,7 +214,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
>  	ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
> 
>  	/* 3th:  template name */
> -	seq_printf(m, " %s", e->template_desc->name);
> +	seq_printf(m, " %s", template_name);
> 
>  	/* 4th:  template specific data */
>  	for (i = 0; i < e->template_desc->num_fields; i++) {

Re: [RFC][PATCH 3/4] ima: display template format in meas. list if template name length is zero

[Roberto Sassu]

On 12/04/2013 10:08 PM, Mimi Zohar wrote:
> On Thu, 2013-11-07 at 15:00 +0100, Roberto Sassu wrote:
>> With the introduction of the 'ima_template_fmt' kernel cmdline parameter,
>> an user can define a new template descriptor with custom format. However,
>> in this case, userspace tools will be unable to parse the measurements
>> list because the new template is unknown. For this reason, this patch
>> modifies the current IMA behavior to display in the list the template
>> format instead of the name so that a tool can extract needed information
>> if it can handle listed fields.
>>
>> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
>> ---
>>   security/integrity/ima/ima_fs.c | 18 ++++++++++++++----
>>   1 file changed, 14 insertions(+), 4 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
>> index d47a7c8..6db74ff 100644
>> --- a/security/integrity/ima/ima_fs.c
>> +++ b/security/integrity/ima/ima_fs.c
>> @@ -118,6 +118,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
>>   	/* the list never shrinks, so we don't need a lock here */
>>   	struct ima_queue_entry *qe = v;
>>   	struct ima_template_entry *e;
>> +	char *template_name;
>>   	int namelen;
>>   	u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
>>   	int i;
>> @@ -127,6 +128,10 @@ static int ima_measurements_show(struct seq_file *m, void *v)
>>   	if (e == NULL)
>>   		return -1;
>>
>> +	template_name = e->template_desc->name;
>> +	if (strlen(e->template_desc->name) == 0)
>> +		template_name = e->template_desc->fmt;
>> +
>
> Hi Roberto,
>
> The patch description unconditionally says, "this patch modifies the
> current IMA behavior to display in the list the template format instead
> of the name".  The code only uses the 'fmt', if the name doesn't exist.
> Please update the patch description accordingly.
>
> Nothing is wrong with the above syntax, but template_name could be
> assigned once using a ternary conditional expression(?:), like:
>
> 	template_name = (strlen(e->template_desc->name) == 0) ?
> 		e->template_desc->name : e->template_desc->fmt;
>

Ok, I will make the changes.

Thanks

Roberto Sassu


> thanks,
>
> Mimi
>
>>   	/*
>>   	 * 1st: PCRIndex
>>   	 * PCR used is always the same (config option) in
>> @@ -138,14 +143,14 @@ static int ima_measurements_show(struct seq_file *m, void *v)
>>   	ima_putc(m, e->digest, TPM_DIGEST_SIZE);
>>
>>   	/* 3rd: template name size */
>> -	namelen = strlen(e->template_desc->name);
>> +	namelen = strlen(template_name);
>>   	ima_putc(m, &namelen, sizeof namelen);
>>
>>   	/* 4th:  template name */
>> -	ima_putc(m, e->template_desc->name, namelen);
>> +	ima_putc(m, template_name, namelen);
>>
>>   	/* 5th:  template length (except for 'ima' template) */
>> -	if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
>> +	if (strcmp(template_name, IMA_TEMPLATE_IMA_NAME) != 0)
>>   		ima_putc(m, &e->template_data_len,
>>   			 sizeof(e->template_data_len));
>>
>> @@ -190,6 +195,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
>>   	/* the list never shrinks, so we don't need a lock here */
>>   	struct ima_queue_entry *qe = v;
>>   	struct ima_template_entry *e;
>> +	char *template_name;
>>   	int i;
>>
>>   	/* get entry */
>> @@ -197,6 +203,10 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
>>   	if (e == NULL)
>>   		return -1;
>>
>> +	template_name = e->template_desc->name;
>> +	if (strlen(e->template_desc->name) == 0)
>> +		template_name = e->template_desc->fmt;
>> +
>>   	/* 1st: PCR used (config option) */
>>   	seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
>>
>> @@ -204,7 +214,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
>>   	ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
>>
>>   	/* 3th:  template name */
>> -	seq_printf(m, " %s", e->template_desc->name);
>> +	seq_printf(m, " %s", template_name);
>>
>>   	/* 4th:  template specific data */
>>   	for (i = 0; i < e->template_desc->num_fields; i++) {
>
>

[RFC][PATCH 4/4] ima: added support for new kernel cmdline parameter ima_template_fmt

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 7123 bytes --]

This patch allows users to provide a custom template format through the
new kernel command line parameter 'ima_template_fmt'. If the supplied
format is not valid, IMA uses the default template descriptor.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
---
 Documentation/kernel-parameters.txt      |  4 +++
 Documentation/security/IMA-templates.txt | 29 +++++++++---------
 security/integrity/ima/ima_template.c    | 50 ++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 15 deletions(-)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 1e8761c..27b14b2 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1199,6 +1199,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			Formats: { "ima" | "ima-ng" }
 			Default: "ima-ng"
 
+	ima_template_fmt=
+	                [IMA] Define a custom template format.
+			Format: { "field1|...|fieldN" }
+
 	init=		[KNL]
 			Format: <full_path>
 			Run specified binary instead of /sbin/init as init
diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
index a777e5f..08ea2da 100644
--- a/Documentation/security/IMA-templates.txt
+++ b/Documentation/security/IMA-templates.txt
@@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
 a new data type, developers define the field identifier and implement
 two functions, init() and show(), respectively to generate and display
 measurement entries. Defining a new template descriptor requires
-specifying the template format, a string of field identifiers separated
-by the '|' character. While in the current implementation it is possible
-to define new template descriptors only by adding their definition in the
-template specific code (ima_template.c), in a future version it will be
-possible to register a new template on a running kernel by supplying to IMA
-the desired format string. In this version, IMA initializes at boot time
-all defined template descriptors by translating the format into an array
-of template fields structures taken from the set of the supported ones.
+specifying the template format (a string of field identifiers separated
+by the '|' character) through the 'ima_template_fmt' kernel command line
+parameter. At boot time, IMA initializes all defined template descriptors
+by translating the format into an array of template fields structures taken
+from the set of the supported ones.
 
 After the initialization step, IMA will call ima_alloc_init_template()
 (new function defined within the patches for the new template management
 mechanism) to generate a new measurement entry by using the template
 descriptor chosen through the kernel configuration or through the newly
-introduced 'ima_template=' kernel command line parameter. It is during this
-phase that the advantages of the new architecture are clearly shown:
-the latter function will not contain specific code to handle a given template
-but, instead, it simply calls the init() method of the template fields
-associated to the chosen template descriptor and store the result (pointer
-to allocated data and data length) in the measurement entry structure.
+introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
+It is during this phase that the advantages of the new architecture are
+clearly shown: the latter function will not contain specific code to handle
+a given template but, instead, it simply calls the init() method of the template
+fields associated to the chosen template descriptor and store the result
+(pointer to allocated data and data length) in the measurement entry structure.
 
 The same mechanism is employed to display measurements entries.
 The functions ima[_ascii]_measurements_show() retrieve, for each entry,
@@ -84,4 +81,6 @@ currently the following methods are supported:
  - select a template descriptor among those supported in the kernel
    configuration ('ima-ng' is the default choice);
  - specify a template descriptor name from the kernel command line through
-   the 'ima_template=' parameter.
+   the 'ima_template=' parameter;
+ - register a new template descriptor with custom format through the kernel
+   command line parameter 'ima_template_fmt='.
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index bb33576..5a95d06 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
 	{.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
 	{.name = "ima-ng",.fmt = "d-ng|n-ng"},
 	{.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
+	{.name = "",.fmt = ""},	/* placeholder for a custom format */
 };
 
 static struct ima_template_field supported_fields[] = {
@@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
 
 static struct ima_template_desc *ima_template;
 static struct ima_template_desc *lookup_template_desc(const char *name);
+static struct ima_template_field *lookup_template_field(const char *field_id);
 
 static int __init ima_template_setup(char *str)
 {
 	struct ima_template_desc *template_desc;
 	int template_len = strlen(str);
 
+	if (ima_template)
+		return 1;
+
 	/*
 	 * Verify that a template with the supplied name exists.
 	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
@@ -70,6 +75,48 @@ static int __init ima_template_setup(char *str)
 }
 __setup("ima_template=", ima_template_setup);
 
+static int __init ima_template_fmt_setup(char *str)
+{
+	int num_templates = ARRAY_SIZE(defined_templates);
+	char *str_ptr_start = str;
+	char *str_ptr_end = str_ptr_start;
+
+	if (ima_template)
+		return 1;
+
+	while (str_ptr_start != NULL) {
+		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
+		int len;
+
+		str_ptr_end = strpbrk(str_ptr_start, "|");
+		if (str_ptr_end == NULL)
+			len = str + strlen(str) - str_ptr_start;
+		else
+			len = str_ptr_end++ - str_ptr_start;
+
+		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
+			pr_err("IMA: field too long, using template %s\n",
+			       CONFIG_IMA_DEFAULT_TEMPLATE);
+			return 1;
+		}
+
+		memcpy(field_id, str_ptr_start, len);
+		field_id[len] = '\0';
+		if (lookup_template_field(field_id) == NULL) {
+			pr_err("IMA: field '%s' not found, using template %s\n",
+			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
+			return 1;
+		}
+
+		str_ptr_start = str_ptr_end;
+	}
+
+	defined_templates[num_templates - 1].fmt = str;
+	ima_template = defined_templates + num_templates - 1;
+	return 1;
+}
+__setup("ima_template_fmt=", ima_template_fmt_setup);
+
 static struct ima_template_desc *lookup_template_desc(const char *name)
 {
 	int i;
@@ -160,6 +207,9 @@ static int init_defined_templates(void)
 	for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
 		struct ima_template_desc *template = &defined_templates[i];
 
+		if (strlen(template->fmt) == 0)
+			continue;
+
 		result = template_desc_init_fields(template->fmt,
 						   &(template->fields),
 						   &(template->num_fields));
-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

Re: [RFC][PATCH 4/4] ima: added support for new kernel cmdline parameter ima_template_fmt

[Dmitry Kasatkin]

On Thu, Nov 7, 2013 at 4:00 PM, Roberto Sassu <roberto.sassu@polito.it> wrote:
> This patch allows users to provide a custom template format through the
> new kernel command line parameter 'ima_template_fmt'. If the supplied
> format is not valid, IMA uses the default template descriptor.
>


Hi,

Why existing formats are not enough?
Why is it needed?

- Dmitry

> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
> ---
>  Documentation/kernel-parameters.txt      |  4 +++
>  Documentation/security/IMA-templates.txt | 29 +++++++++---------
>  security/integrity/ima/ima_template.c    | 50 ++++++++++++++++++++++++++++++++
>  3 files changed, 68 insertions(+), 15 deletions(-)
>
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index 1e8761c..27b14b2 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -1199,6 +1199,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>                         Formats: { "ima" | "ima-ng" }
>                         Default: "ima-ng"
>
> +       ima_template_fmt=
> +                       [IMA] Define a custom template format.
> +                       Format: { "field1|...|fieldN" }
> +
>         init=           [KNL]
>                         Format: <full_path>
>                         Run specified binary instead of /sbin/init as init
> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
> index a777e5f..08ea2da 100644
> --- a/Documentation/security/IMA-templates.txt
> +++ b/Documentation/security/IMA-templates.txt
> @@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
>  a new data type, developers define the field identifier and implement
>  two functions, init() and show(), respectively to generate and display
>  measurement entries. Defining a new template descriptor requires
> -specifying the template format, a string of field identifiers separated
> -by the '|' character. While in the current implementation it is possible
> -to define new template descriptors only by adding their definition in the
> -template specific code (ima_template.c), in a future version it will be
> -possible to register a new template on a running kernel by supplying to IMA
> -the desired format string. In this version, IMA initializes at boot time
> -all defined template descriptors by translating the format into an array
> -of template fields structures taken from the set of the supported ones.
> +specifying the template format (a string of field identifiers separated
> +by the '|' character) through the 'ima_template_fmt' kernel command line
> +parameter. At boot time, IMA initializes all defined template descriptors
> +by translating the format into an array of template fields structures taken
> +from the set of the supported ones.
>
>  After the initialization step, IMA will call ima_alloc_init_template()
>  (new function defined within the patches for the new template management
>  mechanism) to generate a new measurement entry by using the template
>  descriptor chosen through the kernel configuration or through the newly
> -introduced 'ima_template=' kernel command line parameter. It is during this
> -phase that the advantages of the new architecture are clearly shown:
> -the latter function will not contain specific code to handle a given template
> -but, instead, it simply calls the init() method of the template fields
> -associated to the chosen template descriptor and store the result (pointer
> -to allocated data and data length) in the measurement entry structure.
> +introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
> +It is during this phase that the advantages of the new architecture are
> +clearly shown: the latter function will not contain specific code to handle
> +a given template but, instead, it simply calls the init() method of the template
> +fields associated to the chosen template descriptor and store the result
> +(pointer to allocated data and data length) in the measurement entry structure.
>
>  The same mechanism is employed to display measurements entries.
>  The functions ima[_ascii]_measurements_show() retrieve, for each entry,
> @@ -84,4 +81,6 @@ currently the following methods are supported:
>   - select a template descriptor among those supported in the kernel
>     configuration ('ima-ng' is the default choice);
>   - specify a template descriptor name from the kernel command line through
> -   the 'ima_template=' parameter.
> +   the 'ima_template=' parameter;
> + - register a new template descriptor with custom format through the kernel
> +   command line parameter 'ima_template_fmt='.
> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> index bb33576..5a95d06 100644
> --- a/security/integrity/ima/ima_template.c
> +++ b/security/integrity/ima/ima_template.c
> @@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
>         {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
>         {.name = "ima-ng",.fmt = "d-ng|n-ng"},
>         {.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
> +       {.name = "",.fmt = ""}, /* placeholder for a custom format */
>  };
>
>  static struct ima_template_field supported_fields[] = {
> @@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
>
>  static struct ima_template_desc *ima_template;
>  static struct ima_template_desc *lookup_template_desc(const char *name);
> +static struct ima_template_field *lookup_template_field(const char *field_id);
>
>  static int __init ima_template_setup(char *str)
>  {
>         struct ima_template_desc *template_desc;
>         int template_len = strlen(str);
>
> +       if (ima_template)
> +               return 1;
> +
>         /*
>          * Verify that a template with the supplied name exists.
>          * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
> @@ -70,6 +75,48 @@ static int __init ima_template_setup(char *str)
>  }
>  __setup("ima_template=", ima_template_setup);
>
> +static int __init ima_template_fmt_setup(char *str)
> +{
> +       int num_templates = ARRAY_SIZE(defined_templates);
> +       char *str_ptr_start = str;
> +       char *str_ptr_end = str_ptr_start;
> +
> +       if (ima_template)
> +               return 1;
> +
> +       while (str_ptr_start != NULL) {
> +               char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
> +               int len;
> +
> +               str_ptr_end = strpbrk(str_ptr_start, "|");
> +               if (str_ptr_end == NULL)
> +                       len = str + strlen(str) - str_ptr_start;
> +               else
> +                       len = str_ptr_end++ - str_ptr_start;
> +
> +               if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
> +                       pr_err("IMA: field too long, using template %s\n",
> +                              CONFIG_IMA_DEFAULT_TEMPLATE);
> +                       return 1;
> +               }
> +
> +               memcpy(field_id, str_ptr_start, len);
> +               field_id[len] = '\0';
> +               if (lookup_template_field(field_id) == NULL) {
> +                       pr_err("IMA: field '%s' not found, using template %s\n",
> +                              field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
> +                       return 1;
> +               }
> +
> +               str_ptr_start = str_ptr_end;
> +       }
> +
> +       defined_templates[num_templates - 1].fmt = str;
> +       ima_template = defined_templates + num_templates - 1;
> +       return 1;
> +}
> +__setup("ima_template_fmt=", ima_template_fmt_setup);
> +
>  static struct ima_template_desc *lookup_template_desc(const char *name)
>  {
>         int i;
> @@ -160,6 +207,9 @@ static int init_defined_templates(void)
>         for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
>                 struct ima_template_desc *template = &defined_templates[i];
>
> +               if (strlen(template->fmt) == 0)
> +                       continue;
> +
>                 result = template_desc_init_fields(template->fmt,
>                                                    &(template->fields),
>                                                    &(template->num_fields));
> --
> 1.8.1.4
>



-- 
Thanks,
Dmitry

Re: [RFC][PATCH 4/4] ima: added support for new kernel cmdline parameter ima_template_fmt

[Roberto Sassu]

On 11/18/2013 04:35 PM, Dmitry Kasatkin wrote:
> On Thu, Nov 7, 2013 at 4:00 PM, Roberto Sassu <roberto.sassu@polito.it> wrote:
>> This patch allows users to provide a custom template format through the
>> new kernel command line parameter 'ima_template_fmt'. If the supplied
>> format is not valid, IMA uses the default template descriptor.
>>
>
>
> Hi,
>
> Why existing formats are not enough?
> Why is it needed?
>

Hi Dmitry

the reason is that the number of supported fields
will be larger than the number of registered templates.
So, instead of creating a new template descriptor
for each possible combination of template fields,
I would like to leave to users the choice.

For example, supposing that there are fields for displaying
the process UID, GID and LSM label, some users may want
only the first two, others the last and others all those fields.

Roberto Sassu


> - Dmitry
>
>> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
>> ---
>>   Documentation/kernel-parameters.txt      |  4 +++
>>   Documentation/security/IMA-templates.txt | 29 +++++++++---------
>>   security/integrity/ima/ima_template.c    | 50 ++++++++++++++++++++++++++++++++
>>   3 files changed, 68 insertions(+), 15 deletions(-)
>>
>> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
>> index 1e8761c..27b14b2 100644
>> --- a/Documentation/kernel-parameters.txt
>> +++ b/Documentation/kernel-parameters.txt
>> @@ -1199,6 +1199,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>>                          Formats: { "ima" | "ima-ng" }
>>                          Default: "ima-ng"
>>
>> +       ima_template_fmt=
>> +                       [IMA] Define a custom template format.
>> +                       Format: { "field1|...|fieldN" }
>> +
>>          init=           [KNL]
>>                          Format: <full_path>
>>                          Run specified binary instead of /sbin/init as init
>> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
>> index a777e5f..08ea2da 100644
>> --- a/Documentation/security/IMA-templates.txt
>> +++ b/Documentation/security/IMA-templates.txt
>> @@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
>>   a new data type, developers define the field identifier and implement
>>   two functions, init() and show(), respectively to generate and display
>>   measurement entries. Defining a new template descriptor requires
>> -specifying the template format, a string of field identifiers separated
>> -by the '|' character. While in the current implementation it is possible
>> -to define new template descriptors only by adding their definition in the
>> -template specific code (ima_template.c), in a future version it will be
>> -possible to register a new template on a running kernel by supplying to IMA
>> -the desired format string. In this version, IMA initializes at boot time
>> -all defined template descriptors by translating the format into an array
>> -of template fields structures taken from the set of the supported ones.
>> +specifying the template format (a string of field identifiers separated
>> +by the '|' character) through the 'ima_template_fmt' kernel command line
>> +parameter. At boot time, IMA initializes all defined template descriptors
>> +by translating the format into an array of template fields structures taken
>> +from the set of the supported ones.
>>
>>   After the initialization step, IMA will call ima_alloc_init_template()
>>   (new function defined within the patches for the new template management
>>   mechanism) to generate a new measurement entry by using the template
>>   descriptor chosen through the kernel configuration or through the newly
>> -introduced 'ima_template=' kernel command line parameter. It is during this
>> -phase that the advantages of the new architecture are clearly shown:
>> -the latter function will not contain specific code to handle a given template
>> -but, instead, it simply calls the init() method of the template fields
>> -associated to the chosen template descriptor and store the result (pointer
>> -to allocated data and data length) in the measurement entry structure.
>> +introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
>> +It is during this phase that the advantages of the new architecture are
>> +clearly shown: the latter function will not contain specific code to handle
>> +a given template but, instead, it simply calls the init() method of the template
>> +fields associated to the chosen template descriptor and store the result
>> +(pointer to allocated data and data length) in the measurement entry structure.
>>
>>   The same mechanism is employed to display measurements entries.
>>   The functions ima[_ascii]_measurements_show() retrieve, for each entry,
>> @@ -84,4 +81,6 @@ currently the following methods are supported:
>>    - select a template descriptor among those supported in the kernel
>>      configuration ('ima-ng' is the default choice);
>>    - specify a template descriptor name from the kernel command line through
>> -   the 'ima_template=' parameter.
>> +   the 'ima_template=' parameter;
>> + - register a new template descriptor with custom format through the kernel
>> +   command line parameter 'ima_template_fmt='.
>> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
>> index bb33576..5a95d06 100644
>> --- a/security/integrity/ima/ima_template.c
>> +++ b/security/integrity/ima/ima_template.c
>> @@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
>>          {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
>>          {.name = "ima-ng",.fmt = "d-ng|n-ng"},
>>          {.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
>> +       {.name = "",.fmt = ""}, /* placeholder for a custom format */
>>   };
>>
>>   static struct ima_template_field supported_fields[] = {
>> @@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
>>
>>   static struct ima_template_desc *ima_template;
>>   static struct ima_template_desc *lookup_template_desc(const char *name);
>> +static struct ima_template_field *lookup_template_field(const char *field_id);
>>
>>   static int __init ima_template_setup(char *str)
>>   {
>>          struct ima_template_desc *template_desc;
>>          int template_len = strlen(str);
>>
>> +       if (ima_template)
>> +               return 1;
>> +
>>          /*
>>           * Verify that a template with the supplied name exists.
>>           * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
>> @@ -70,6 +75,48 @@ static int __init ima_template_setup(char *str)
>>   }
>>   __setup("ima_template=", ima_template_setup);
>>
>> +static int __init ima_template_fmt_setup(char *str)
>> +{
>> +       int num_templates = ARRAY_SIZE(defined_templates);
>> +       char *str_ptr_start = str;
>> +       char *str_ptr_end = str_ptr_start;
>> +
>> +       if (ima_template)
>> +               return 1;
>> +
>> +       while (str_ptr_start != NULL) {
>> +               char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
>> +               int len;
>> +
>> +               str_ptr_end = strpbrk(str_ptr_start, "|");
>> +               if (str_ptr_end == NULL)
>> +                       len = str + strlen(str) - str_ptr_start;
>> +               else
>> +                       len = str_ptr_end++ - str_ptr_start;
>> +
>> +               if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
>> +                       pr_err("IMA: field too long, using template %s\n",
>> +                              CONFIG_IMA_DEFAULT_TEMPLATE);
>> +                       return 1;
>> +               }
>> +
>> +               memcpy(field_id, str_ptr_start, len);
>> +               field_id[len] = '\0';
>> +               if (lookup_template_field(field_id) == NULL) {
>> +                       pr_err("IMA: field '%s' not found, using template %s\n",
>> +                              field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
>> +                       return 1;
>> +               }
>> +
>> +               str_ptr_start = str_ptr_end;
>> +       }
>> +
>> +       defined_templates[num_templates - 1].fmt = str;
>> +       ima_template = defined_templates + num_templates - 1;
>> +       return 1;
>> +}
>> +__setup("ima_template_fmt=", ima_template_fmt_setup);
>> +
>>   static struct ima_template_desc *lookup_template_desc(const char *name)
>>   {
>>          int i;
>> @@ -160,6 +207,9 @@ static int init_defined_templates(void)
>>          for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
>>                  struct ima_template_desc *template = &defined_templates[i];
>>
>> +               if (strlen(template->fmt) == 0)
>> +                       continue;
>> +
>>                  result = template_desc_init_fields(template->fmt,
>>                                                     &(template->fields),
>>                                                     &(template->num_fields));
>> --
>> 1.8.1.4
>>
>
>
>

Re: [RFC][PATCH 4/4] ima: added support for new kernel cmdline parameter ima_template_fmt

[Mimi Zohar]

On Thu, 2013-11-07 at 15:00 +0100, Roberto Sassu wrote:
> This patch allows users to provide a custom template format through the
> new kernel command line parameter 'ima_template_fmt'. If the supplied
> format is not valid, IMA uses the default template descriptor.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
> ---
>  Documentation/kernel-parameters.txt      |  4 +++
>  Documentation/security/IMA-templates.txt | 29 +++++++++---------
>  security/integrity/ima/ima_template.c    | 50 ++++++++++++++++++++++++++++++++
>  3 files changed, 68 insertions(+), 15 deletions(-)
> 
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index 1e8761c..27b14b2 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -1199,6 +1199,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>  			Formats: { "ima" | "ima-ng" }
>  			Default: "ima-ng"
> 
> +	ima_template_fmt=
> +	                [IMA] Define a custom template format.
> +			Format: { "field1|...|fieldN" }
> +
>  	init=		[KNL]
>  			Format: <full_path>
>  			Run specified binary instead of /sbin/init as init
> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
> index a777e5f..08ea2da 100644
> --- a/Documentation/security/IMA-templates.txt
> +++ b/Documentation/security/IMA-templates.txt
> @@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
>  a new data type, developers define the field identifier and implement
>  two functions, init() and show(), respectively to generate and display
>  measurement entries. Defining a new template descriptor requires
> -specifying the template format, a string of field identifiers separated
> -by the '|' character. While in the current implementation it is possible
> -to define new template descriptors only by adding their definition in the
> -template specific code (ima_template.c), in a future version it will be
> -possible to register a new template on a running kernel by supplying to IMA
> -the desired format string. In this version, IMA initializes at boot time
> -all defined template descriptors by translating the format into an array
> -of template fields structures taken from the set of the supported ones.
> +specifying the template format (a string of field identifiers separated
> +by the '|' character) through the 'ima_template_fmt' kernel command line
> +parameter. At boot time, IMA initializes all defined template descriptors
> +by translating the format into an array of template fields structures taken
> +from the set of the supported ones.
> 
>  After the initialization step, IMA will call ima_alloc_init_template()
>  (new function defined within the patches for the new template management
>  mechanism) to generate a new measurement entry by using the template
>  descriptor chosen through the kernel configuration or through the newly
> -introduced 'ima_template=' kernel command line parameter. It is during this
> -phase that the advantages of the new architecture are clearly shown:
> -the latter function will not contain specific code to handle a given template
> -but, instead, it simply calls the init() method of the template fields
> -associated to the chosen template descriptor and store the result (pointer
> -to allocated data and data length) in the measurement entry structure.
> +introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
> +It is during this phase that the advantages of the new architecture are
> +clearly shown: the latter function will not contain specific code to handle
> +a given template but, instead, it simply calls the init() method of the template
> +fields associated to the chosen template descriptor and store the result
> +(pointer to allocated data and data length) in the measurement entry structure.
> 
>  The same mechanism is employed to display measurements entries.
>  The functions ima[_ascii]_measurements_show() retrieve, for each entry,
> @@ -84,4 +81,6 @@ currently the following methods are supported:
>   - select a template descriptor among those supported in the kernel
>     configuration ('ima-ng' is the default choice);
>   - specify a template descriptor name from the kernel command line through
> -   the 'ima_template=' parameter.
> +   the 'ima_template=' parameter;
> + - register a new template descriptor with custom format through the kernel
> +   command line parameter 'ima_template_fmt='.
> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> index bb33576..5a95d06 100644
> --- a/security/integrity/ima/ima_template.c
> +++ b/security/integrity/ima/ima_template.c
> @@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
>  	{.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
>  	{.name = "ima-ng",.fmt = "d-ng|n-ng"},
>  	{.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
> +	{.name = "",.fmt = ""},	/* placeholder for a custom format */
>  };
> 
>  static struct ima_template_field supported_fields[] = {
> @@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
> 
>  static struct ima_template_desc *ima_template;
>  static struct ima_template_desc *lookup_template_desc(const char *name);
> +static struct ima_template_field *lookup_template_field(const char *field_id);
> 
>  static int __init ima_template_setup(char *str)
>  {
>  	struct ima_template_desc *template_desc;
>  	int template_len = strlen(str);
> 
> +	if (ima_template)
> +		return 1;
> +
>  	/*
>  	 * Verify that a template with the supplied name exists.
>  	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
> @@ -70,6 +75,48 @@ static int __init ima_template_setup(char *str)
>  }
>  __setup("ima_template=", ima_template_setup);
> 
> +static int __init ima_template_fmt_setup(char *str)
> +{
> +	int num_templates = ARRAY_SIZE(defined_templates);
> +	char *str_ptr_start = str;
> +	char *str_ptr_end = str_ptr_start;
> +
> +	if (ima_template)
> +		return 1;
> +
> +	while (str_ptr_start != NULL) {
> +		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
> +		int len;
> +
> +		str_ptr_end = strpbrk(str_ptr_start, "|");
> +		if (str_ptr_end == NULL)
> +			len = str + strlen(str) - str_ptr_start;
> +		else
> +			len = str_ptr_end++ - str_ptr_start;
> +
> +		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
> +			pr_err("IMA: field too long, using template %s\n",
> +			       CONFIG_IMA_DEFAULT_TEMPLATE);
> +			return 1;
> +		}
> +
> +		memcpy(field_id, str_ptr_start, len);
> +		field_id[len] = '\0';
> +		if (lookup_template_field(field_id) == NULL) {
> +			pr_err("IMA: field '%s' not found, using template %s\n",
> +			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
> +			return 1;
> +		}
> +
> +		str_ptr_start = str_ptr_end;
> +	}
> +

Roberto, looking this over again, I think this can be simplified by
using strsep().

Mimi

> +	defined_templates[num_templates - 1].fmt = str;
> +	ima_template = defined_templates + num_templates - 1;
> +	return 1;
> +}
> +__setup("ima_template_fmt=", ima_template_fmt_setup);
> +
>  static struct ima_template_desc *lookup_template_desc(const char *name)
>  {
>  	int i;
> @@ -160,6 +207,9 @@ static int init_defined_templates(void)
>  	for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
>  		struct ima_template_desc *template = &defined_templates[i];
> 
> +		if (strlen(template->fmt) == 0)
> +			continue;
> +
>  		result = template_desc_init_fields(template->fmt,
>  						   &(template->fields),
>  						   &(template->num_fields));

Re: [RFC][PATCH 4/4] ima: added support for new kernel cmdline parameter ima_template_fmt

[Roberto Sassu]

On 12/04/2013 10:05 PM, Mimi Zohar wrote:
> On Thu, 2013-11-07 at 15:00 +0100, Roberto Sassu wrote:
>> This patch allows users to provide a custom template format through the
>> new kernel command line parameter 'ima_template_fmt'. If the supplied
>> format is not valid, IMA uses the default template descriptor.
>>
>> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
>> ---
>>   Documentation/kernel-parameters.txt      |  4 +++
>>   Documentation/security/IMA-templates.txt | 29 +++++++++---------
>>   security/integrity/ima/ima_template.c    | 50 ++++++++++++++++++++++++++++++++
>>   3 files changed, 68 insertions(+), 15 deletions(-)
>>
>> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
>> index 1e8761c..27b14b2 100644
>> --- a/Documentation/kernel-parameters.txt
>> +++ b/Documentation/kernel-parameters.txt
>> @@ -1199,6 +1199,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>>   			Formats: { "ima" | "ima-ng" }
>>   			Default: "ima-ng"
>>
>> +	ima_template_fmt=
>> +	                [IMA] Define a custom template format.
>> +			Format: { "field1|...|fieldN" }
>> +
>>   	init=		[KNL]
>>   			Format: <full_path>
>>   			Run specified binary instead of /sbin/init as init
>> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
>> index a777e5f..08ea2da 100644
>> --- a/Documentation/security/IMA-templates.txt
>> +++ b/Documentation/security/IMA-templates.txt
>> @@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
>>   a new data type, developers define the field identifier and implement
>>   two functions, init() and show(), respectively to generate and display
>>   measurement entries. Defining a new template descriptor requires
>> -specifying the template format, a string of field identifiers separated
>> -by the '|' character. While in the current implementation it is possible
>> -to define new template descriptors only by adding their definition in the
>> -template specific code (ima_template.c), in a future version it will be
>> -possible to register a new template on a running kernel by supplying to IMA
>> -the desired format string. In this version, IMA initializes at boot time
>> -all defined template descriptors by translating the format into an array
>> -of template fields structures taken from the set of the supported ones.
>> +specifying the template format (a string of field identifiers separated
>> +by the '|' character) through the 'ima_template_fmt' kernel command line
>> +parameter. At boot time, IMA initializes all defined template descriptors
>> +by translating the format into an array of template fields structures taken
>> +from the set of the supported ones.
>>
>>   After the initialization step, IMA will call ima_alloc_init_template()
>>   (new function defined within the patches for the new template management
>>   mechanism) to generate a new measurement entry by using the template
>>   descriptor chosen through the kernel configuration or through the newly
>> -introduced 'ima_template=' kernel command line parameter. It is during this
>> -phase that the advantages of the new architecture are clearly shown:
>> -the latter function will not contain specific code to handle a given template
>> -but, instead, it simply calls the init() method of the template fields
>> -associated to the chosen template descriptor and store the result (pointer
>> -to allocated data and data length) in the measurement entry structure.
>> +introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
>> +It is during this phase that the advantages of the new architecture are
>> +clearly shown: the latter function will not contain specific code to handle
>> +a given template but, instead, it simply calls the init() method of the template
>> +fields associated to the chosen template descriptor and store the result
>> +(pointer to allocated data and data length) in the measurement entry structure.
>>
>>   The same mechanism is employed to display measurements entries.
>>   The functions ima[_ascii]_measurements_show() retrieve, for each entry,
>> @@ -84,4 +81,6 @@ currently the following methods are supported:
>>    - select a template descriptor among those supported in the kernel
>>      configuration ('ima-ng' is the default choice);
>>    - specify a template descriptor name from the kernel command line through
>> -   the 'ima_template=' parameter.
>> +   the 'ima_template=' parameter;
>> + - register a new template descriptor with custom format through the kernel
>> +   command line parameter 'ima_template_fmt='.
>> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
>> index bb33576..5a95d06 100644
>> --- a/security/integrity/ima/ima_template.c
>> +++ b/security/integrity/ima/ima_template.c
>> @@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
>>   	{.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
>>   	{.name = "ima-ng",.fmt = "d-ng|n-ng"},
>>   	{.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
>> +	{.name = "",.fmt = ""},	/* placeholder for a custom format */
>>   };
>>
>>   static struct ima_template_field supported_fields[] = {
>> @@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
>>
>>   static struct ima_template_desc *ima_template;
>>   static struct ima_template_desc *lookup_template_desc(const char *name);
>> +static struct ima_template_field *lookup_template_field(const char *field_id);
>>
>>   static int __init ima_template_setup(char *str)
>>   {
>>   	struct ima_template_desc *template_desc;
>>   	int template_len = strlen(str);
>>
>> +	if (ima_template)
>> +		return 1;
>> +
>>   	/*
>>   	 * Verify that a template with the supplied name exists.
>>   	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
>> @@ -70,6 +75,48 @@ static int __init ima_template_setup(char *str)
>>   }
>>   __setup("ima_template=", ima_template_setup);
>>
>> +static int __init ima_template_fmt_setup(char *str)
>> +{
>> +	int num_templates = ARRAY_SIZE(defined_templates);
>> +	char *str_ptr_start = str;
>> +	char *str_ptr_end = str_ptr_start;
>> +
>> +	if (ima_template)
>> +		return 1;
>> +
>> +	while (str_ptr_start != NULL) {
>> +		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
>> +		int len;
>> +
>> +		str_ptr_end = strpbrk(str_ptr_start, "|");
>> +		if (str_ptr_end == NULL)
>> +			len = str + strlen(str) - str_ptr_start;
>> +		else
>> +			len = str_ptr_end++ - str_ptr_start;
>> +
>> +		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
>> +			pr_err("IMA: field too long, using template %s\n",
>> +			       CONFIG_IMA_DEFAULT_TEMPLATE);
>> +			return 1;
>> +		}
>> +
>> +		memcpy(field_id, str_ptr_start, len);
>> +		field_id[len] = '\0';
>> +		if (lookup_template_field(field_id) == NULL) {
>> +			pr_err("IMA: field '%s' not found, using template %s\n",
>> +			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
>> +			return 1;
>> +		}
>> +
>> +		str_ptr_start = str_ptr_end;
>> +	}
>> +
>
> Roberto, looking this over again, I think this can be simplified by
> using strsep().
>

Hi Mimi

yes, the code can be simplified. However, I did not use strsep()
to avoid that this function modifies the kernel command line
(it replaces the passed separator character with '\0').
Since the custom format string is parsed again later, I also
have to revert changes made by strsep().

Thanks

Roberto Sassu


> Mimi
>
>> +	defined_templates[num_templates - 1].fmt = str;
>> +	ima_template = defined_templates + num_templates - 1;
>> +	return 1;
>> +}
>> +__setup("ima_template_fmt=", ima_template_fmt_setup);
>> +
>>   static struct ima_template_desc *lookup_template_desc(const char *name)
>>   {
>>   	int i;
>> @@ -160,6 +207,9 @@ static int init_defined_templates(void)
>>   	for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
>>   		struct ima_template_desc *template = &defined_templates[i];
>>
>> +		if (strlen(template->fmt) == 0)
>> +			continue;
>> +
>>   		result = template_desc_init_fields(template->fmt,
>>   						   &(template->fields),
>>   						   &(template->num_fields));
>
>

Re: [RFC][PATCH 4/4] ima: added support for new kernel cmdline parameter ima_template_fmt

[Mimi Zohar]

On Thu, 2013-12-05 at 09:49 +0100, Roberto Sassu wrote:
> On 12/04/2013 10:05 PM, Mimi Zohar wrote:
> > On Thu, 2013-11-07 at 15:00 +0100, Roberto Sassu wrote:
> >> This patch allows users to provide a custom template format through the
> >> new kernel command line parameter 'ima_template_fmt'. If the supplied
> >> format is not valid, IMA uses the default template descriptor.
> >>
> >> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
> >> ---
> >>   Documentation/kernel-parameters.txt      |  4 +++
> >>   Documentation/security/IMA-templates.txt | 29 +++++++++---------
> >>   security/integrity/ima/ima_template.c    | 50 ++++++++++++++++++++++++++++++++
> >>   3 files changed, 68 insertions(+), 15 deletions(-)
> >>
> >> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> >> index 1e8761c..27b14b2 100644
> >> --- a/Documentation/kernel-parameters.txt
> >> +++ b/Documentation/kernel-parameters.txt
> >> @@ -1199,6 +1199,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
> >>   			Formats: { "ima" | "ima-ng" }
> >>   			Default: "ima-ng"
> >>
> >> +	ima_template_fmt=
> >> +	                [IMA] Define a custom template format.
> >> +			Format: { "field1|...|fieldN" }
> >> +
> >>   	init=		[KNL]
> >>   			Format: <full_path>
> >>   			Run specified binary instead of /sbin/init as init
> >> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
> >> index a777e5f..08ea2da 100644
> >> --- a/Documentation/security/IMA-templates.txt
> >> +++ b/Documentation/security/IMA-templates.txt
> >> @@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
> >>   a new data type, developers define the field identifier and implement
> >>   two functions, init() and show(), respectively to generate and display
> >>   measurement entries. Defining a new template descriptor requires
> >> -specifying the template format, a string of field identifiers separated
> >> -by the '|' character. While in the current implementation it is possible
> >> -to define new template descriptors only by adding their definition in the
> >> -template specific code (ima_template.c), in a future version it will be
> >> -possible to register a new template on a running kernel by supplying to IMA
> >> -the desired format string. In this version, IMA initializes at boot time
> >> -all defined template descriptors by translating the format into an array
> >> -of template fields structures taken from the set of the supported ones.
> >> +specifying the template format (a string of field identifiers separated
> >> +by the '|' character) through the 'ima_template_fmt' kernel command line
> >> +parameter. At boot time, IMA initializes all defined template descriptors
> >> +by translating the format into an array of template fields structures taken
> >> +from the set of the supported ones.
> >>
> >>   After the initialization step, IMA will call ima_alloc_init_template()
> >>   (new function defined within the patches for the new template management
> >>   mechanism) to generate a new measurement entry by using the template
> >>   descriptor chosen through the kernel configuration or through the newly
> >> -introduced 'ima_template=' kernel command line parameter. It is during this
> >> -phase that the advantages of the new architecture are clearly shown:
> >> -the latter function will not contain specific code to handle a given template
> >> -but, instead, it simply calls the init() method of the template fields
> >> -associated to the chosen template descriptor and store the result (pointer
> >> -to allocated data and data length) in the measurement entry structure.
> >> +introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
> >> +It is during this phase that the advantages of the new architecture are
> >> +clearly shown: the latter function will not contain specific code to handle
> >> +a given template but, instead, it simply calls the init() method of the template
> >> +fields associated to the chosen template descriptor and store the result
> >> +(pointer to allocated data and data length) in the measurement entry structure.
> >>
> >>   The same mechanism is employed to display measurements entries.
> >>   The functions ima[_ascii]_measurements_show() retrieve, for each entry,
> >> @@ -84,4 +81,6 @@ currently the following methods are supported:
> >>    - select a template descriptor among those supported in the kernel
> >>      configuration ('ima-ng' is the default choice);
> >>    - specify a template descriptor name from the kernel command line through
> >> -   the 'ima_template=' parameter.
> >> +   the 'ima_template=' parameter;
> >> + - register a new template descriptor with custom format through the kernel
> >> +   command line parameter 'ima_template_fmt='.
> >> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> >> index bb33576..5a95d06 100644
> >> --- a/security/integrity/ima/ima_template.c
> >> +++ b/security/integrity/ima/ima_template.c
> >> @@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
> >>   	{.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
> >>   	{.name = "ima-ng",.fmt = "d-ng|n-ng"},
> >>   	{.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
> >> +	{.name = "",.fmt = ""},	/* placeholder for a custom format */
> >>   };
> >>
> >>   static struct ima_template_field supported_fields[] = {
> >> @@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
> >>
> >>   static struct ima_template_desc *ima_template;
> >>   static struct ima_template_desc *lookup_template_desc(const char *name);
> >> +static struct ima_template_field *lookup_template_field(const char *field_id);
> >>
> >>   static int __init ima_template_setup(char *str)
> >>   {
> >>   	struct ima_template_desc *template_desc;
> >>   	int template_len = strlen(str);
> >>
> >> +	if (ima_template)
> >> +		return 1;
> >> +
> >>   	/*
> >>   	 * Verify that a template with the supplied name exists.
> >>   	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
> >> @@ -70,6 +75,48 @@ static int __init ima_template_setup(char *str)
> >>   }
> >>   __setup("ima_template=", ima_template_setup);
> >>
> >> +static int __init ima_template_fmt_setup(char *str)
> >> +{
> >> +	int num_templates = ARRAY_SIZE(defined_templates);
> >> +	char *str_ptr_start = str;
> >> +	char *str_ptr_end = str_ptr_start;
> >> +
> >> +	if (ima_template)
> >> +		return 1;
> >> +
> >> +	while (str_ptr_start != NULL) {
> >> +		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
> >> +		int len;
> >> +
> >> +		str_ptr_end = strpbrk(str_ptr_start, "|");
> >> +		if (str_ptr_end == NULL)
> >> +			len = str + strlen(str) - str_ptr_start;
> >> +		else
> >> +			len = str_ptr_end++ - str_ptr_start;
> >> +
> >> +		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
> >> +			pr_err("IMA: field too long, using template %s\n",
> >> +			       CONFIG_IMA_DEFAULT_TEMPLATE);
> >> +			return 1;
> >> +		}
> >> +
> >> +		memcpy(field_id, str_ptr_start, len);
> >> +		field_id[len] = '\0';
> >> +		if (lookup_template_field(field_id) == NULL) {
> >> +			pr_err("IMA: field '%s' not found, using template %s\n",
> >> +			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
> >> +			return 1;
> >> +		}
> >> +
> >> +		str_ptr_start = str_ptr_end;
> >> +	}
> >> +
> >
> > Roberto, looking this over again, I think this can be simplified by
> > using strsep().
> >
> 
> Hi Mimi
> 
> yes, the code can be simplified. However, I did not use strsep()
> to avoid that this function modifies the kernel command line
> (it replaces the passed separator character with '\0').
> Since the custom format string is parsed again later, I also
> have to revert changes made by strsep().

Somehow the code needs to be simplified and cleaned up.  For example,
str_ptr_start/end need to be renamed to something simpler, like
field/field_end or token/token_end. (Refer to Documentation/CodingStyle
chapter 4 for variable naming style.)  Perhaps, instead of using
strsep(), write a function to return a pointer to the field and field
length.

thanks,

Mimi

> >
> >> +	defined_templates[num_templates - 1].fmt = str;
> >> +	ima_template = defined_templates + num_templates - 1;
> >> +	return 1;
> >> +}
> >> +__setup("ima_template_fmt=", ima_template_fmt_setup);
> >> +
> >>   static struct ima_template_desc *lookup_template_desc(const char *name)
> >>   {
> >>   	int i;
> >> @@ -160,6 +207,9 @@ static int init_defined_templates(void)
> >>   	for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
> >>   		struct ima_template_desc *template = &defined_templates[i];
> >>
> >> +		if (strlen(template->fmt) == 0)
> >> +			continue;
> >> +
> >>   		result = template_desc_init_fields(template->fmt,
> >>   						   &(template->fields),
> >>   						   &(template->num_fields));
> >
> >
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [RFC][PATCH 4/4] ima: added support for new kernel cmdline parameter ima_template_fmt

[Mimi Zohar]

On Thu, 2013-12-05 at 07:15 -0500, Mimi Zohar wrote:
> On Thu, 2013-12-05 at 09:49 +0100, Roberto Sassu wrote:
> > On 12/04/2013 10:05 PM, Mimi Zohar wrote:
> > > On Thu, 2013-11-07 at 15:00 +0100, Roberto Sassu wrote:

> > >> +static int __init ima_template_fmt_setup(char *str)
> > >> +{
> > >> +	int num_templates = ARRAY_SIZE(defined_templates);
> > >> +	char *str_ptr_start = str;
> > >> +	char *str_ptr_end = str_ptr_start;
> > >> +
> > >> +	if (ima_template)
> > >> +		return 1;
> > >> +
> > >> +	while (str_ptr_start != NULL) {
> > >> +		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
> > >> +		int len;
> > >> +
> > >> +		str_ptr_end = strpbrk(str_ptr_start, "|");
> > >> +		if (str_ptr_end == NULL)
> > >> +			len = str + strlen(str) - str_ptr_start;
> > >> +		else
> > >> +			len = str_ptr_end++ - str_ptr_start;
> > >> +
> > >> +		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
> > >> +			pr_err("IMA: field too long, using template %s\n",
> > >> +			       CONFIG_IMA_DEFAULT_TEMPLATE);
> > >> +			return 1;
> > >> +		}
> > >> +
> > >> +		memcpy(field_id, str_ptr_start, len);
> > >> +		field_id[len] = '\0';
> > >> +		if (lookup_template_field(field_id) == NULL) {
> > >> +			pr_err("IMA: field '%s' not found, using template %s\n",
> > >> +			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
> > >> +			return 1;
> > >> +		}
> > >> +
> > >> +		str_ptr_start = str_ptr_end;
> > >> +	}
> > >> +
> > >
> > > Roberto, looking this over again, I think this can be simplified by
> > > using strsep().
> > >
> > 
> > Hi Mimi
> > 
> > yes, the code can be simplified. However, I did not use strsep()
> > to avoid that this function modifies the kernel command line
> > (it replaces the passed separator character with '\0').
> > Since the custom format string is parsed again later, I also
> > have to revert changes made by strsep().
> 
> Somehow the code needs to be simplified and cleaned up.  For example,
> str_ptr_start/end need to be renamed to something simpler, like
> field/field_end or token/token_end. (Refer to Documentation/CodingStyle
> chapter 4 for variable naming style.)  Perhaps, instead of using
> strsep(), write a function to return a pointer to the field and field
> length.

Using lib/string.c:strcspn() might help.

Mimi

Re: [RFC][PATCH 0/4] ima: add support for custom template formats

[Mimi Zohar]

On Thu, 2013-11-07 at 15:00 +0100, Roberto Sassu wrote:
> Hi everyone
> 
> currently accepted patches for the new template management mechanism allow to
> choose among a list of supported templates, statically defined in the code.
> This functionality is not flexible enough as users may want to include
> in their measurements list only information needed and not use predefined
> combinations.
> 
> For this reason, this patch set introduce the new kernel command line parameter
> 'ima_template_fmt' to specify a custom template format at boot time,
> i.e. a string of template fields identifiers concatenated with the '|'
> separator character. The complete list of defined template fields can be
> found in Documentation/security/IMA-templates.txt.
> 
> The format string is checked at the very beginning in the setup function
> ima_template_fmt_setup() so that, if it is wrong, IMA can go back to the
> default template, selected through a kernel configuration option.
> 
> To allow userspace tools parse a measurements list with a custom format, IMA
> provides as template name the same format string provided by users at boot
> time, so that tools know which information are included in a entry and extract
> them if they can handle listed template fields.
> 
> Roberto Sassu

Cool, this is a really nice patchset!

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>

> 
> Roberto Sassu (4):
>   ima: added error messages to template-related functions
>   ima: make a copy of template_fmt in template_desc_init_fields()
>   ima: display template format in meas. list if template name length is
>     zero
>   ima: added support for new kernel cmdline parameter ima_template_fmt
> 
>  Documentation/kernel-parameters.txt      |  4 ++
>  Documentation/security/IMA-templates.txt | 29 +++++++------
>  security/integrity/ima/ima_fs.c          | 18 ++++++--
>  security/integrity/ima/ima_template.c    | 71 ++++++++++++++++++++++++++++++--
>  4 files changed, 100 insertions(+), 22 deletions(-)
>