Linux cryptographic layer development
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module@vger.kernel.org
Cc: Roberto Sassu <roberto.sassu@polito.it>,
	linux-crypto@vger.kernel.org, David Howells <dhowells@redhat.com>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: [RFC][PATCH 11/20] ima: pass the filename argument up to ima_add_template_entry()
Date: Wed, 17 Jul 2013 19:51:31 -0400	[thread overview]
Message-ID: <1374105100-25880-12-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1374105100-25880-1-git-send-email-zohar@linux.vnet.ibm.com>

From: Roberto Sassu <roberto.sassu@polito.it>

Pass the filename argument to ima_add_template_entry() in order to
eliminate a dependency on template specific data (third argument of
integrity_audit_msg).

This change is required because, with the new template management
mechanism, the generation of a new measurement entry will be performed
by new specific functions (introduced in next patches) and the current IMA
code will not be aware anymore of how data is stored in the entry payload.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 security/integrity/ima/ima.h       | 5 +++--
 security/integrity/ima/ima_api.c   | 9 +++++----
 security/integrity/ima/ima_init.c  | 3 ++-
 security/integrity/ima/ima_queue.c | 6 +++---
 4 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index d7bec6f..27d2ffb 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -69,7 +69,8 @@ int ima_fs_init(void);
 void ima_fs_cleanup(void);
 int ima_inode_alloc(struct inode *inode);
 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
-			   const char *op, struct inode *inode);
+			   const char *op, struct inode *inode,
+			   const unsigned char *filename);
 int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
 int ima_calc_buffer_hash(const void *data, int len,
 			 struct ima_digest_data *hash);
@@ -107,7 +108,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
 void ima_audit_measurement(struct integrity_iint_cache *iint,
 			   const unsigned char *filename);
 int ima_store_template(struct ima_template_entry *entry, int violation,
-		       struct inode *inode);
+		       struct inode *inode, const unsigned char *filename);
 void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show);
 const char *ima_d_path(struct path *path, char **pathbuf);
 
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 98160a3..a0fe504 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -40,7 +40,8 @@ static const char *IMA_TEMPLATE_NAME = "ima";
  * Returns 0 on success, error code otherwise
  */
 int ima_store_template(struct ima_template_entry *entry,
-		       int violation, struct inode *inode)
+		       int violation, struct inode *inode,
+		       const unsigned char *filename)
 {
 	const char *op = "add_template_measure";
 	const char *audit_cause = "hashing_error";
@@ -67,7 +68,7 @@ int ima_store_template(struct ima_template_entry *entry,
 		}
 		memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
 	}
-	result = ima_add_template_entry(entry, violation, op, inode);
+	result = ima_add_template_entry(entry, violation, op, inode, filename);
 	return result;
 }
 
@@ -96,7 +97,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
 	}
 	memset(&entry->template, 0, sizeof(entry->template));
 	strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
-	result = ima_store_template(entry, violation, inode);
+	result = ima_store_template(entry, violation, inode, filename);
 	if (result < 0)
 		kfree(entry);
 err_out:
@@ -248,7 +249,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
 	       (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
 	       file->f_dentry->d_name.name : filename);
 
-	result = ima_store_template(entry, violation, inode);
+	result = ima_store_template(entry, violation, inode, filename);
 	if (!result || result == -EEXIST)
 		iint->flags |= IMA_MEASURED;
 	if (result < 0)
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 77cd500..d42fac3 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -71,7 +71,8 @@ static void __init ima_add_boot_aggregate(void)
 		memcpy(entry->template.digest, hash.hdr.digest,
 		       hash.hdr.length);
 	}
-	result = ima_store_template(entry, violation, NULL);
+	result = ima_store_template(entry, violation, NULL,
+				    boot_aggregate_name);
 	if (result < 0)
 		kfree(entry);
 	return;
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index e63ff33..d85e997 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -104,7 +104,8 @@ static int ima_pcr_extend(const u8 *hash)
  * and extend the pcr.
  */
 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
-			   const char *op, struct inode *inode)
+			   const char *op, struct inode *inode,
+			   const unsigned char *filename)
 {
 	u8 digest[TPM_DIGEST_SIZE];
 	const char *audit_cause = "hash_added";
@@ -141,8 +142,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 	}
 out:
 	mutex_unlock(&ima_extend_list_mutex);
-	integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
-			    entry->template.file_name,
+	integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
 			    op, audit_cause, result, audit_info);
 	return result;
 }
-- 
1.8.1.4


  parent reply	other threads:[~2013-07-17 23:51 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-17 23:51 [RFC][PATCH 00/20] ima: larger digests and template support Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 01/20] crypto: provide single place for hash algo information Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 02/20] keys: change asymmetric keys to use common hash definitions Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 03/20] ima: provide support for arbitrary hash algorithms Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 04/20] ima: read and use signature hash algorithm Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 05/20] ima: use dynamically allocated hash storage Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 06/20] ima: differentiate between template hash and file data hash sizes Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 07/20] ima: provide dedicated hash algo allocation function Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 08/20] ima: support arbitrary hash algorithms in ima_calc_buffer_hash Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 09/20] ima: ima_calc_boot_agregate must use SHA1 Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 10/20] ima: pass the file descriptor to ima_add_violation() Mimi Zohar
2013-07-17 23:51 ` Mimi Zohar [this message]
2013-07-17 23:51 ` [RFC][PATCH 12/20] ima: define new function ima_alloc_init_template() to API Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 13/20] ima: new templates management mechanism Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 14/20] ima: define template fields library and new helpers Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 15/20] ima: define new template ima-ng and template fields d-ng and n-ng Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 16/20] ima: switch to new template management mechanism Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 17/20] ima: defer determining the appraisal hash algorithm for 'ima' template Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 18/20] ima: add Kconfig default measurement list template Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 19/20] ima: define kernel parameter 'ima_template=' to change configured default Mimi Zohar
2013-07-17 23:51 ` [RFC][PATCH 20/20] ima: enable support for larger default filedata hash algorithms Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1374105100-25880-12-git-send-email-zohar@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=roberto.sassu@polito.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox