From: Prakhar Srivastava <prsriva02@gmail.com>
To: linux-integrity@vger.kernel.org,
linux-secuirty-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: zohar@linux.ibm.com, ebiederm@xmission.com, vgoyal@redhat.com,
nayna@linux.ibm.com, Prakhar Srivastava <prsriva02@gmail.com>
Subject: [PATCH v3 2/4] add the buffer to the xattr
Date: Mon, 29 Apr 2019 14:47:41 -0700 [thread overview]
Message-ID: <20190429214743.4625-3-prsriva02@gmail.com> (raw)
In-Reply-To: <20190429214743.4625-1-prsriva02@gmail.com>
From: Prakhar Srivastava <prsriva02@gmail.com>
add the buffer to the xattr for a buffer case
Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com>
---
security/integrity/ima/ima_main.c | 37 ++++++++++++++++++++---
security/integrity/ima/ima_template_lib.c | 3 +-
security/integrity/integrity.h | 1 +
3 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 3db3f3966ac7..7362952ab273 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -603,16 +603,37 @@ static int process_buffer_measurement(const void *buff, int size,
struct ima_digest_data hdr;
char digest[IMA_MAX_DIGEST_SIZE];
} hash;
+ struct buffer_xattr {
+ enum evm_ima_xattr_type type;
+ u16 buff_length;
+ unsigned char buff[0];
+ };
+
int violation = 0;
int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
+ struct buffer_xattr *buffer_event_data = NULL;
+ int alloc_length = 0;
+ int action = 0;
if (!buff || size == 0 || !eventname)
goto err_out;
- if (ima_get_action(NULL, cred, secid, 0, BUFFER_CHECK, &pcr)
- != IMA_MEASURE)
+ action = ima_get_action(NULL, cred, secid, 0, BUFFER_CHECK, &pcr);
+ if (!(action & IMA_AUDIT) && !(action & IMA_MEASURE))
+ goto err_out;
+
+ alloc_length = sizeof(struct buffer_xattr) + size;
+ buffer_event_data = kzalloc(alloc_length, GFP_KERNEL);
+ if (!buffer_event_data)
goto err_out;
+ buffer_event_data->type = IMA_XATTR_BUFFER;
+ buffer_event_data->buff_length = size;
+ memcpy(buffer_event_data->buff, buff, size);
+
+ event_data.xattr_value = (struct evm_ima_xattr_data *)buffer_event_data;
+ event_data.xattr_len = alloc_length;
+
memset(iint, 0, sizeof(*iint));
memset(&hash, 0, sizeof(hash));
@@ -630,17 +651,23 @@ static int process_buffer_measurement(const void *buff, int size,
if (ret < 0)
goto err_out;
- ret = ima_store_template(entry, violation, NULL,
+ if (action & IMA_MEASURE)
+ ret = ima_store_template(entry, violation, NULL,
buff, pcr);
+
if (ret < 0) {
ima_free_template_entry(entry);
goto err_out;
}
- return 0;
+ if (action & IMA_AUDIT)
+ ima_audit_measurement(iint, event_data.filename);
+
+ ret = 0;
err_out:
- pr_err("Error in adding buffer measure: %d\n", ret);
+ kfree(buffer_event_data);
+ pr_debug("%s return: %d\n", __func__, ret);
return ret;
}
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 513b457ae900..d22de3d8fcd9 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -383,7 +383,8 @@ int ima_eventsig_init(struct ima_event_data *event_data,
{
struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
- if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
+ if ((!xattr_value) || !((xattr_value->type == EVM_IMA_XATTR_DIGSIG) ||
+ (xattr_value->type == IMA_XATTR_BUFFER)))
return 0;
return ima_write_template_field_data(xattr_value, event_data->xattr_len,
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 7de59f44cba3..14ef904f091d 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -74,6 +74,7 @@ enum evm_ima_xattr_type {
EVM_IMA_XATTR_DIGSIG,
IMA_XATTR_DIGEST_NG,
EVM_XATTR_PORTABLE_DIGSIG,
+ IMA_XATTR_BUFFER,
IMA_XATTR_LAST
};
--
2.19.1
next prev parent reply other threads:[~2019-04-29 21:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-29 21:47 [PATCH v3 0/4] Add a new ima_hook buffer_check to measure buffers critical for attestation Prakhar Srivastava
2019-04-29 21:47 ` [PATCH v3 1/4] added a new ima policy func buffer_check, and ima hook to measure the buffer hash into ima Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
2019-04-29 21:47 ` Prakhar Srivastava [this message]
2019-05-02 16:52 ` [PATCH v3 2/4] add the buffer to the xattr Mimi Zohar
2019-04-29 21:47 ` [PATCH v3 3/4] add kexec_cmdline used to ima Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
2019-05-02 16:58 ` Al Viro
2019-04-29 21:47 ` [PATCH v3 4/4] added LSM hook to call ima_buffer_check Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190429214743.4625-3-prsriva02@gmail.com \
--to=prsriva02@gmail.com \
--cc=ebiederm@xmission.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-secuirty-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).