[PATCH-v2 0/3] ima: add support for custom template formats

[PATCH-v2 0/3] ima: add support for custom template formats

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 2265 bytes --]

Hi everyone

currently accepted patches for the new template management mechanism allow to
choose among a list of supported templates, statically defined in the code.
This functionality is not flexible enough as users may want to include
in their measurements list only information needed and not use predefined
combinations.

For this reason, this patch set introduces the new kernel command line parameter
'ima_template_fmt' to specify a custom template format at boot time,
i.e. a string of template fields identifiers concatenated with the '|'
separator character. The complete list of defined template fields can be
found in Documentation/security/IMA-templates.txt.

The format string is checked at the very beginning in the setup function
ima_template_fmt_setup() so that, if it is wrong, IMA can go back to the
default template, selected through a kernel configuration option.

To allow userspace tools parse a measurements list with a custom format, IMA
provides as template name the same format string provided by users at boot
time, so that tools know which information are included in a entry and extract
them if they can handle listed template fields.


Changelog:
 - patch 2/3: fixed patch description (Roberto Sassu, suggested by Mimi Zohar)
 - patch 3/3: set 'template_name' variable in ima_fs.c only once
   (Roberto Sassu, suggested by Mimi Zohar)
 - patch 3/3: simplified code of ima_template_fmt_setup()
   (Roberto Sassu, suggested by Mimi Zohar)
 - the patch 'ima: make a copy of template_fmt in template_desc_init_fields()'
   has been removed from this version of the patch set since it has been already
   merged in the mainline kernel (commit: dbc335d2d + fix: af91706d5)

Roberto Sassu


Roberto Sassu (3):
  ima: added error messages to template-related functions
  ima: display template format in meas. list if template name length is
    zero
  ima: added support for new kernel cmdline parameter ima_template_fmt

 Documentation/kernel-parameters.txt      |  4 +++
 Documentation/security/IMA-templates.txt | 29 ++++++++---------
 security/integrity/ima/ima_fs.c          | 16 +++++++---
 security/integrity/ima/ima_template.c    | 55 ++++++++++++++++++++++++++++++--
 4 files changed, 83 insertions(+), 21 deletions(-)

-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH-v2 1/3] ima: added error messages to template-related functions

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 1668 bytes --]

This patch adds some error messages to inform users about the following
events: template descriptor not found, template field not found, and
template initialization failed.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 security/integrity/ima/ima_template.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 635695f..a001477 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -49,8 +49,11 @@ static int __init ima_template_setup(char *str)
 	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
 	 */
 	template_desc = lookup_template_desc(str);
-	if (!template_desc)
+	if (!template_desc) {
+		pr_err("IMA: template %s not found, using %s\n",
+		       str, CONFIG_IMA_DEFAULT_TEMPLATE);
 		return 1;
+	}
 
 	/*
 	 * Verify whether the current hash algorithm is supported
@@ -134,6 +137,7 @@ static int template_desc_init_fields(const char *template_fmt,
 		struct ima_template_field *f = lookup_template_field(c);
 
 		if (!f) {
+			pr_err("IMA: field '%s' not found\n", c);
 			result = -ENOENT;
 			goto out;
 		}
@@ -161,8 +165,12 @@ static int init_defined_templates(void)
 		result = template_desc_init_fields(template->fmt,
 						   &(template->fields),
 						   &(template->num_fields));
-		if (result < 0)
+		if (result < 0) {
+			pr_err("IMA: template %s init failed, result: %d\n",
+			       (strlen(template->name) ?
+			       template->name : template->fmt), result);
 			return result;
+		}
 	}
 	return result;
 }
-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH-v2 2/3] ima: display template format in meas. list if template name length is zero

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 3305 bytes --]

With the introduction of the 'ima_template_fmt' kernel cmdline parameter,
an user can define a new template descriptor with custom format. However,
in this case, userspace tools will be unable to parse the measurements
list because the new template is unknown. For this reason, this patch
modifies the current IMA behavior to display in the list the template
format instead of the name (only if the length of the latter is zero)
so that a tool can extract needed information if it can handle listed
fields.

Changelog:
 - fixed patch description (Roberto Sassu, suggested by Mimi Zohar)
 - set 'template_name' variable in ima_fs.c only once
   (Roberto Sassu, suggested by Mimi Zohar)

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 security/integrity/ima/ima_fs.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index db01125..8b5c182 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -118,6 +118,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
 	/* the list never shrinks, so we don't need a lock here */
 	struct ima_queue_entry *qe = v;
 	struct ima_template_entry *e;
+	char *template_name;
 	int namelen;
 	u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
 	bool is_ima_template = false;
@@ -128,6 +129,9 @@ static int ima_measurements_show(struct seq_file *m, void *v)
 	if (e == NULL)
 		return -1;
 
+	template_name = (strlen(e->template_desc->name) != 0) ?
+	    e->template_desc->name : e->template_desc->fmt;
+
 	/*
 	 * 1st: PCRIndex
 	 * PCR used is always the same (config option) in
@@ -139,14 +143,14 @@ static int ima_measurements_show(struct seq_file *m, void *v)
 	ima_putc(m, e->digest, TPM_DIGEST_SIZE);
 
 	/* 3rd: template name size */
-	namelen = strlen(e->template_desc->name);
+	namelen = strlen(template_name);
 	ima_putc(m, &namelen, sizeof namelen);
 
 	/* 4th:  template name */
-	ima_putc(m, e->template_desc->name, namelen);
+	ima_putc(m, template_name, namelen);
 
 	/* 5th:  template length (except for 'ima' template) */
-	if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0)
+	if (strcmp(template_name, IMA_TEMPLATE_IMA_NAME) == 0)
 		is_ima_template = true;
 
 	if (!is_ima_template)
@@ -198,6 +202,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
 	/* the list never shrinks, so we don't need a lock here */
 	struct ima_queue_entry *qe = v;
 	struct ima_template_entry *e;
+	char *template_name;
 	int i;
 
 	/* get entry */
@@ -205,6 +210,9 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
 	if (e == NULL)
 		return -1;
 
+	template_name = (strlen(e->template_desc->name) != 0) ?
+	    e->template_desc->name : e->template_desc->fmt;
+
 	/* 1st: PCR used (config option) */
 	seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
 
@@ -212,7 +220,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
 	ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
 
 	/* 3th:  template name */
-	seq_printf(m, " %s", e->template_desc->name);
+	seq_printf(m, " %s", template_name);
 
 	/* 4th:  template specific data */
 	for (i = 0; i < e->template_desc->num_fields; i++) {
-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH-v2 3/3] ima: added support for new kernel cmdline parameter ima_template_fmt

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 7112 bytes --]

This patch allows users to provide a custom template format through the
new kernel command line parameter 'ima_template_fmt'. If the supplied
format is not valid, IMA uses the default template descriptor.

Changelog:
 - simplified code of ima_template_fmt_setup()
   (Roberto Sassu, suggested by Mimi Zohar)

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 Documentation/kernel-parameters.txt      |  4 +++
 Documentation/security/IMA-templates.txt | 29 +++++++++++----------
 security/integrity/ima/ima_template.c    | 43 ++++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+), 15 deletions(-)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 50680a5..bb45dbc 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1208,6 +1208,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			Formats: { "ima" | "ima-ng" }
 			Default: "ima-ng"
 
+	ima_template_fmt=
+	                [IMA] Define a custom template format.
+			Format: { "field1|...|fieldN" }
+
 	init=		[KNL]
 			Format: <full_path>
 			Run specified binary instead of /sbin/init as init
diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
index a4e102d..7d065f0 100644
--- a/Documentation/security/IMA-templates.txt
+++ b/Documentation/security/IMA-templates.txt
@@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
 a new data type, developers define the field identifier and implement
 two functions, init() and show(), respectively to generate and display
 measurement entries. Defining a new template descriptor requires
-specifying the template format, a string of field identifiers separated
-by the '|' character. While in the current implementation it is possible
-to define new template descriptors only by adding their definition in the
-template specific code (ima_template.c), in a future version it will be
-possible to register a new template on a running kernel by supplying to IMA
-the desired format string. In this version, IMA initializes at boot time
-all defined template descriptors by translating the format into an array
-of template fields structures taken from the set of the supported ones.
+specifying the template format (a string of field identifiers separated
+by the '|' character) through the 'ima_template_fmt' kernel command line
+parameter. At boot time, IMA initializes all defined template descriptors
+by translating the format into an array of template fields structures taken
+from the set of the supported ones.
 
 After the initialization step, IMA will call ima_alloc_init_template()
 (new function defined within the patches for the new template management
 mechanism) to generate a new measurement entry by using the template
 descriptor chosen through the kernel configuration or through the newly
-introduced 'ima_template=' kernel command line parameter. It is during this
-phase that the advantages of the new architecture are clearly shown:
-the latter function will not contain specific code to handle a given template
-but, instead, it simply calls the init() method of the template fields
-associated to the chosen template descriptor and store the result (pointer
-to allocated data and data length) in the measurement entry structure.
+introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
+It is during this phase that the advantages of the new architecture are
+clearly shown: the latter function will not contain specific code to handle
+a given template but, instead, it simply calls the init() method of the template
+fields associated to the chosen template descriptor and store the result
+(pointer to allocated data and data length) in the measurement entry structure.
 
 The same mechanism is employed to display measurements entries.
 The functions ima[_ascii]_measurements_show() retrieve, for each entry,
@@ -86,4 +83,6 @@ currently the following methods are supported:
  - select a template descriptor among those supported in the kernel
    configuration ('ima-ng' is the default choice);
  - specify a template descriptor name from the kernel command line through
-   the 'ima_template=' parameter.
+   the 'ima_template=' parameter;
+ - register a new template descriptor with custom format through the kernel
+   command line parameter 'ima_template_fmt='.
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index a001477..11adf4a 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
 	{.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
 	{.name = "ima-ng",.fmt = "d-ng|n-ng"},
 	{.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
+	{.name = "",.fmt = ""},	/* placeholder for a custom format */
 };
 
 static struct ima_template_field supported_fields[] = {
@@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
 
 static struct ima_template_desc *ima_template;
 static struct ima_template_desc *lookup_template_desc(const char *name);
+static struct ima_template_field *lookup_template_field(const char *field_id);
 
 static int __init ima_template_setup(char *str)
 {
 	struct ima_template_desc *template_desc;
 	int template_len = strlen(str);
 
+	if (ima_template)
+		return 1;
+
 	/*
 	 * Verify that a template with the supplied name exists.
 	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
@@ -70,6 +75,41 @@ static int __init ima_template_setup(char *str)
 }
 __setup("ima_template=", ima_template_setup);
 
+static int __init ima_template_fmt_setup(char *str)
+{
+	int num_templates = ARRAY_SIZE(defined_templates);
+	char *str_ptr = str;
+
+	if (ima_template)
+		return 1;
+
+	while (str_ptr != NULL) {
+		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
+		int len = strcspn(str_ptr, "|");
+
+		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
+			pr_err("IMA: field too long, using template %s\n",
+			       CONFIG_IMA_DEFAULT_TEMPLATE);
+			return 1;
+		}
+
+		memcpy(field_id, str_ptr, len);
+		field_id[len] = '\0';
+		if (lookup_template_field(field_id) == NULL) {
+			pr_err("IMA: field '%s' not found, using template %s\n",
+			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
+			return 1;
+		}
+
+		str_ptr = (str_ptr[len] == '|') ? str_ptr + len + 1 : NULL;
+	}
+
+	defined_templates[num_templates - 1].fmt = str;
+	ima_template = defined_templates + num_templates - 1;
+	return 1;
+}
+__setup("ima_template_fmt=", ima_template_fmt_setup);
+
 static struct ima_template_desc *lookup_template_desc(const char *name)
 {
 	int i;
@@ -162,6 +202,9 @@ static int init_defined_templates(void)
 	for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
 		struct ima_template_desc *template = &defined_templates[i];
 
+		if (strlen(template->fmt) == 0)
+			continue;
+
 		result = template_desc_init_fields(template->fmt,
 						   &(template->fields),
 						   &(template->num_fields));
-- 
1.8.1.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

Re: [PATCH-v2 3/3] ima: added support for new kernel cmdline parameter ima_template_fmt

[Mimi Zohar]

On Fri, 2013-12-06 at 13:57 +0100, Roberto Sassu wrote:
> This patch allows users to provide a custom template format through the
> new kernel command line parameter 'ima_template_fmt'. If the supplied
> format is not valid, IMA uses the default template descriptor.
> 
> Changelog:
>  - simplified code of ima_template_fmt_setup()
>    (Roberto Sassu, suggested by Mimi Zohar)
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
>  Documentation/kernel-parameters.txt      |  4 +++
>  Documentation/security/IMA-templates.txt | 29 +++++++++++----------
>  security/integrity/ima/ima_template.c    | 43 ++++++++++++++++++++++++++++++++
>  3 files changed, 61 insertions(+), 15 deletions(-)
> 
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index 50680a5..bb45dbc 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -1208,6 +1208,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>  			Formats: { "ima" | "ima-ng" }
>  			Default: "ima-ng"
> 
> +	ima_template_fmt=
> +	                [IMA] Define a custom template format.
> +			Format: { "field1|...|fieldN" }
> +
>  	init=		[KNL]
>  			Format: <full_path>
>  			Run specified binary instead of /sbin/init as init
> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
> index a4e102d..7d065f0 100644
> --- a/Documentation/security/IMA-templates.txt
> +++ b/Documentation/security/IMA-templates.txt
> @@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
>  a new data type, developers define the field identifier and implement
>  two functions, init() and show(), respectively to generate and display
>  measurement entries. Defining a new template descriptor requires
> -specifying the template format, a string of field identifiers separated
> -by the '|' character. While in the current implementation it is possible
> -to define new template descriptors only by adding their definition in the
> -template specific code (ima_template.c), in a future version it will be
> -possible to register a new template on a running kernel by supplying to IMA
> -the desired format string. In this version, IMA initializes at boot time
> -all defined template descriptors by translating the format into an array
> -of template fields structures taken from the set of the supported ones.
> +specifying the template format (a string of field identifiers separated
> +by the '|' character) through the 'ima_template_fmt' kernel command line
> +parameter. At boot time, IMA initializes all defined template descriptors
> +by translating the format into an array of template fields structures taken
> +from the set of the supported ones.
> 
>  After the initialization step, IMA will call ima_alloc_init_template()
>  (new function defined within the patches for the new template management
>  mechanism) to generate a new measurement entry by using the template
>  descriptor chosen through the kernel configuration or through the newly
> -introduced 'ima_template=' kernel command line parameter. It is during this
> -phase that the advantages of the new architecture are clearly shown:
> -the latter function will not contain specific code to handle a given template
> -but, instead, it simply calls the init() method of the template fields
> -associated to the chosen template descriptor and store the result (pointer
> -to allocated data and data length) in the measurement entry structure.
> +introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
> +It is during this phase that the advantages of the new architecture are
> +clearly shown: the latter function will not contain specific code to handle
> +a given template but, instead, it simply calls the init() method of the template
> +fields associated to the chosen template descriptor and store the result
> +(pointer to allocated data and data length) in the measurement entry structure.
> 
>  The same mechanism is employed to display measurements entries.
>  The functions ima[_ascii]_measurements_show() retrieve, for each entry,
> @@ -86,4 +83,6 @@ currently the following methods are supported:
>   - select a template descriptor among those supported in the kernel
>     configuration ('ima-ng' is the default choice);
>   - specify a template descriptor name from the kernel command line through
> -   the 'ima_template=' parameter.
> +   the 'ima_template=' parameter;
> + - register a new template descriptor with custom format through the kernel
> +   command line parameter 'ima_template_fmt='.
> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> index a001477..11adf4a 100644
> --- a/security/integrity/ima/ima_template.c
> +++ b/security/integrity/ima/ima_template.c
> @@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
>  	{.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
>  	{.name = "ima-ng",.fmt = "d-ng|n-ng"},
>  	{.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
> +	{.name = "",.fmt = ""},	/* placeholder for a custom format */
>  };
> 
>  static struct ima_template_field supported_fields[] = {
> @@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
> 
>  static struct ima_template_desc *ima_template;
>  static struct ima_template_desc *lookup_template_desc(const char *name);
> +static struct ima_template_field *lookup_template_field(const char *field_id);
> 
>  static int __init ima_template_setup(char *str)
>  {
>  	struct ima_template_desc *template_desc;
>  	int template_len = strlen(str);
> 
> +	if (ima_template)
> +		return 1;
> +
>  	/*
>  	 * Verify that a template with the supplied name exists.
>  	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
> @@ -70,6 +75,41 @@ static int __init ima_template_setup(char *str)
>  }
>  __setup("ima_template=", ima_template_setup);
> 
> +static int __init ima_template_fmt_setup(char *str)
> +{
> +	int num_templates = ARRAY_SIZE(defined_templates);
> +	char *str_ptr = str;
> +
> +	if (ima_template)
> +		return 1;
> +
> +	while (str_ptr != NULL) {
> +		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
> +		int len = strcspn(str_ptr, "|");
> +
> +		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
> +			pr_err("IMA: field too long, using template %s\n",
> +			       CONFIG_IMA_DEFAULT_TEMPLATE);
> +			return 1;
> +		}
> +
> +		memcpy(field_id, str_ptr, len);
> +		field_id[len] = '\0';
> +		if (lookup_template_field(field_id) == NULL) {
> +			pr_err("IMA: field '%s' not found, using template %s\n",
> +			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
> +			return 1;
> +		}
> +
> +		str_ptr = (str_ptr[len] == '|') ? str_ptr + len + 1 : NULL;

Personally, I think it would be cleaner to use a 'for' loop.  Something
like: for (bufp = buf; bufp < bufend; bufp += len + 1)

thanks,

Mimi 

> +	}
> +
> +	defined_templates[num_templates - 1].fmt = str;
> +	ima_template = defined_templates + num_templates - 1;
> +	return 1;
> +}
> +__setup("ima_template_fmt=", ima_template_fmt_setup);
> +
>  static struct ima_template_desc *lookup_template_desc(const char *name)
>  {
>  	int i;
> @@ -162,6 +202,9 @@ static int init_defined_templates(void)
>  	for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
>  		struct ima_template_desc *template = &defined_templates[i];
> 
> +		if (strlen(template->fmt) == 0)
> +			continue;
> +
>  		result = template_desc_init_fields(template->fmt,
>  						   &(template->fields),
>  						   &(template->num_fields));

Re: [PATCH-v2 3/3] ima: added support for new kernel cmdline parameter ima_template_fmt

[Roberto Sassu]

On 12/06/2013 08:36 PM, Mimi Zohar wrote:
> On Fri, 2013-12-06 at 13:57 +0100, Roberto Sassu wrote:
>> This patch allows users to provide a custom template format through the
>> new kernel command line parameter 'ima_template_fmt'. If the supplied
>> format is not valid, IMA uses the default template descriptor.
>>
>> Changelog:
>>   - simplified code of ima_template_fmt_setup()
>>     (Roberto Sassu, suggested by Mimi Zohar)
>>
>> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
>> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>> ---
>>   Documentation/kernel-parameters.txt      |  4 +++
>>   Documentation/security/IMA-templates.txt | 29 +++++++++++----------
>>   security/integrity/ima/ima_template.c    | 43 ++++++++++++++++++++++++++++++++
>>   3 files changed, 61 insertions(+), 15 deletions(-)
>>
>> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
>> index 50680a5..bb45dbc 100644
>> --- a/Documentation/kernel-parameters.txt
>> +++ b/Documentation/kernel-parameters.txt
>> @@ -1208,6 +1208,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>>   			Formats: { "ima" | "ima-ng" }
>>   			Default: "ima-ng"
>>
>> +	ima_template_fmt=
>> +	                [IMA] Define a custom template format.
>> +			Format: { "field1|...|fieldN" }
>> +
>>   	init=		[KNL]
>>   			Format: <full_path>
>>   			Run specified binary instead of /sbin/init as init
>> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
>> index a4e102d..7d065f0 100644
>> --- a/Documentation/security/IMA-templates.txt
>> +++ b/Documentation/security/IMA-templates.txt
>> @@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
>>   a new data type, developers define the field identifier and implement
>>   two functions, init() and show(), respectively to generate and display
>>   measurement entries. Defining a new template descriptor requires
>> -specifying the template format, a string of field identifiers separated
>> -by the '|' character. While in the current implementation it is possible
>> -to define new template descriptors only by adding their definition in the
>> -template specific code (ima_template.c), in a future version it will be
>> -possible to register a new template on a running kernel by supplying to IMA
>> -the desired format string. In this version, IMA initializes at boot time
>> -all defined template descriptors by translating the format into an array
>> -of template fields structures taken from the set of the supported ones.
>> +specifying the template format (a string of field identifiers separated
>> +by the '|' character) through the 'ima_template_fmt' kernel command line
>> +parameter. At boot time, IMA initializes all defined template descriptors
>> +by translating the format into an array of template fields structures taken
>> +from the set of the supported ones.
>>
>>   After the initialization step, IMA will call ima_alloc_init_template()
>>   (new function defined within the patches for the new template management
>>   mechanism) to generate a new measurement entry by using the template
>>   descriptor chosen through the kernel configuration or through the newly
>> -introduced 'ima_template=' kernel command line parameter. It is during this
>> -phase that the advantages of the new architecture are clearly shown:
>> -the latter function will not contain specific code to handle a given template
>> -but, instead, it simply calls the init() method of the template fields
>> -associated to the chosen template descriptor and store the result (pointer
>> -to allocated data and data length) in the measurement entry structure.
>> +introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
>> +It is during this phase that the advantages of the new architecture are
>> +clearly shown: the latter function will not contain specific code to handle
>> +a given template but, instead, it simply calls the init() method of the template
>> +fields associated to the chosen template descriptor and store the result
>> +(pointer to allocated data and data length) in the measurement entry structure.
>>
>>   The same mechanism is employed to display measurements entries.
>>   The functions ima[_ascii]_measurements_show() retrieve, for each entry,
>> @@ -86,4 +83,6 @@ currently the following methods are supported:
>>    - select a template descriptor among those supported in the kernel
>>      configuration ('ima-ng' is the default choice);
>>    - specify a template descriptor name from the kernel command line through
>> -   the 'ima_template=' parameter.
>> +   the 'ima_template=' parameter;
>> + - register a new template descriptor with custom format through the kernel
>> +   command line parameter 'ima_template_fmt='.
>> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
>> index a001477..11adf4a 100644
>> --- a/security/integrity/ima/ima_template.c
>> +++ b/security/integrity/ima/ima_template.c
>> @@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
>>   	{.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
>>   	{.name = "ima-ng",.fmt = "d-ng|n-ng"},
>>   	{.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
>> +	{.name = "",.fmt = ""},	/* placeholder for a custom format */
>>   };
>>
>>   static struct ima_template_field supported_fields[] = {
>> @@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
>>
>>   static struct ima_template_desc *ima_template;
>>   static struct ima_template_desc *lookup_template_desc(const char *name);
>> +static struct ima_template_field *lookup_template_field(const char *field_id);
>>
>>   static int __init ima_template_setup(char *str)
>>   {
>>   	struct ima_template_desc *template_desc;
>>   	int template_len = strlen(str);
>>
>> +	if (ima_template)
>> +		return 1;
>> +
>>   	/*
>>   	 * Verify that a template with the supplied name exists.
>>   	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
>> @@ -70,6 +75,41 @@ static int __init ima_template_setup(char *str)
>>   }
>>   __setup("ima_template=", ima_template_setup);
>>
>> +static int __init ima_template_fmt_setup(char *str)
>> +{
>> +	int num_templates = ARRAY_SIZE(defined_templates);
>> +	char *str_ptr = str;
>> +
>> +	if (ima_template)
>> +		return 1;
>> +
>> +	while (str_ptr != NULL) {
>> +		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
>> +		int len = strcspn(str_ptr, "|");
>> +
>> +		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
>> +			pr_err("IMA: field too long, using template %s\n",
>> +			       CONFIG_IMA_DEFAULT_TEMPLATE);
>> +			return 1;
>> +		}
>> +
>> +		memcpy(field_id, str_ptr, len);
>> +		field_id[len] = '\0';
>> +		if (lookup_template_field(field_id) == NULL) {
>> +			pr_err("IMA: field '%s' not found, using template %s\n",
>> +			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
>> +			return 1;
>> +		}
>> +
>> +		str_ptr = (str_ptr[len] == '|') ? str_ptr + len + 1 : NULL;
>
> Personally, I think it would be cleaner to use a 'for' loop.  Something
> like: for (bufp = buf; bufp < bufend; bufp += len + 1)
>

Hi Mimi

this solution will not work because it does not properly
handle a string like 'validfield|'. Indeed, at the second
iteration, you already reached the end of the string and
exit without detecting a field identifier of length zero.

Thanks

Roberto Sassu


> thanks,
>
> Mimi
>
>> +	}
>> +
>> +	defined_templates[num_templates - 1].fmt = str;
>> +	ima_template = defined_templates + num_templates - 1;
>> +	return 1;
>> +}
>> +__setup("ima_template_fmt=", ima_template_fmt_setup);
>> +
>>   static struct ima_template_desc *lookup_template_desc(const char *name)
>>   {
>>   	int i;
>> @@ -162,6 +202,9 @@ static int init_defined_templates(void)
>>   	for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
>>   		struct ima_template_desc *template = &defined_templates[i];
>>
>> +		if (strlen(template->fmt) == 0)
>> +			continue;
>> +
>>   		result = template_desc_init_fields(template->fmt,
>>   						   &(template->fields),
>>   						   &(template->num_fields));
>
>

Re: [PATCH-v2 3/3] ima: added support for new kernel cmdline parameter ima_template_fmt

[Mimi Zohar]

On Sat, 2013-12-07 at 10:57 +0100, Roberto Sassu wrote:
> On 12/06/2013 08:36 PM, Mimi Zohar wrote:
> > On Fri, 2013-12-06 at 13:57 +0100, Roberto Sassu wrote:
> >> This patch allows users to provide a custom template format through the
> >> new kernel command line parameter 'ima_template_fmt'. If the supplied
> >> format is not valid, IMA uses the default template descriptor.
> >>
> >> Changelog:
> >>   - simplified code of ima_template_fmt_setup()
> >>     (Roberto Sassu, suggested by Mimi Zohar)
> >>
> >> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
> >> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >> ---
> >>   Documentation/kernel-parameters.txt      |  4 +++
> >>   Documentation/security/IMA-templates.txt | 29 +++++++++++----------
> >>   security/integrity/ima/ima_template.c    | 43 ++++++++++++++++++++++++++++++++
> >>   3 files changed, 61 insertions(+), 15 deletions(-)
> >>
> >> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> >> index 50680a5..bb45dbc 100644
> >> --- a/Documentation/kernel-parameters.txt
> >> +++ b/Documentation/kernel-parameters.txt
> >> @@ -1208,6 +1208,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
> >>   			Formats: { "ima" | "ima-ng" }
> >>   			Default: "ima-ng"
> >>
> >> +	ima_template_fmt=
> >> +	                [IMA] Define a custom template format.
> >> +			Format: { "field1|...|fieldN" }
> >> +
> >>   	init=		[KNL]
> >>   			Format: <full_path>
> >>   			Run specified binary instead of /sbin/init as init
> >> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
> >> index a4e102d..7d065f0 100644
> >> --- a/Documentation/security/IMA-templates.txt
> >> +++ b/Documentation/security/IMA-templates.txt
> >> @@ -27,25 +27,22 @@ Managing templates with these structures is very simple. To support
> >>   a new data type, developers define the field identifier and implement
> >>   two functions, init() and show(), respectively to generate and display
> >>   measurement entries. Defining a new template descriptor requires
> >> -specifying the template format, a string of field identifiers separated
> >> -by the '|' character. While in the current implementation it is possible
> >> -to define new template descriptors only by adding their definition in the
> >> -template specific code (ima_template.c), in a future version it will be
> >> -possible to register a new template on a running kernel by supplying to IMA
> >> -the desired format string. In this version, IMA initializes at boot time
> >> -all defined template descriptors by translating the format into an array
> >> -of template fields structures taken from the set of the supported ones.
> >> +specifying the template format (a string of field identifiers separated
> >> +by the '|' character) through the 'ima_template_fmt' kernel command line
> >> +parameter. At boot time, IMA initializes all defined template descriptors
> >> +by translating the format into an array of template fields structures taken
> >> +from the set of the supported ones.
> >>
> >>   After the initialization step, IMA will call ima_alloc_init_template()
> >>   (new function defined within the patches for the new template management
> >>   mechanism) to generate a new measurement entry by using the template
> >>   descriptor chosen through the kernel configuration or through the newly
> >> -introduced 'ima_template=' kernel command line parameter. It is during this
> >> -phase that the advantages of the new architecture are clearly shown:
> >> -the latter function will not contain specific code to handle a given template
> >> -but, instead, it simply calls the init() method of the template fields
> >> -associated to the chosen template descriptor and store the result (pointer
> >> -to allocated data and data length) in the measurement entry structure.
> >> +introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
> >> +It is during this phase that the advantages of the new architecture are
> >> +clearly shown: the latter function will not contain specific code to handle
> >> +a given template but, instead, it simply calls the init() method of the template
> >> +fields associated to the chosen template descriptor and store the result
> >> +(pointer to allocated data and data length) in the measurement entry structure.
> >>
> >>   The same mechanism is employed to display measurements entries.
> >>   The functions ima[_ascii]_measurements_show() retrieve, for each entry,
> >> @@ -86,4 +83,6 @@ currently the following methods are supported:
> >>    - select a template descriptor among those supported in the kernel
> >>      configuration ('ima-ng' is the default choice);
> >>    - specify a template descriptor name from the kernel command line through
> >> -   the 'ima_template=' parameter.
> >> +   the 'ima_template=' parameter;
> >> + - register a new template descriptor with custom format through the kernel
> >> +   command line parameter 'ima_template_fmt='.
> >> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> >> index a001477..11adf4a 100644
> >> --- a/security/integrity/ima/ima_template.c
> >> +++ b/security/integrity/ima/ima_template.c
> >> @@ -21,6 +21,7 @@ static struct ima_template_desc defined_templates[] = {
> >>   	{.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
> >>   	{.name = "ima-ng",.fmt = "d-ng|n-ng"},
> >>   	{.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
> >> +	{.name = "",.fmt = ""},	/* placeholder for a custom format */
> >>   };
> >>
> >>   static struct ima_template_field supported_fields[] = {
> >> @@ -38,12 +39,16 @@ static struct ima_template_field supported_fields[] = {
> >>
> >>   static struct ima_template_desc *ima_template;
> >>   static struct ima_template_desc *lookup_template_desc(const char *name);
> >> +static struct ima_template_field *lookup_template_field(const char *field_id);
> >>
> >>   static int __init ima_template_setup(char *str)
> >>   {
> >>   	struct ima_template_desc *template_desc;
> >>   	int template_len = strlen(str);
> >>
> >> +	if (ima_template)
> >> +		return 1;
> >> +
> >>   	/*
> >>   	 * Verify that a template with the supplied name exists.
> >>   	 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
> >> @@ -70,6 +75,41 @@ static int __init ima_template_setup(char *str)
> >>   }
> >>   __setup("ima_template=", ima_template_setup);
> >>
> >> +static int __init ima_template_fmt_setup(char *str)
> >> +{
> >> +	int num_templates = ARRAY_SIZE(defined_templates);
> >> +	char *str_ptr = str;
> >> +
> >> +	if (ima_template)
> >> +		return 1;
> >> +
> >> +	while (str_ptr != NULL) {
> >> +		char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
> >> +		int len = strcspn(str_ptr, "|");
> >> +
> >> +		if (len >= IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
> >> +			pr_err("IMA: field too long, using template %s\n",
> >> +			       CONFIG_IMA_DEFAULT_TEMPLATE);
> >> +			return 1;
> >> +		}
> >> +
> >> +		memcpy(field_id, str_ptr, len);
> >> +		field_id[len] = '\0';
> >> +		if (lookup_template_field(field_id) == NULL) {
> >> +			pr_err("IMA: field '%s' not found, using template %s\n",
> >> +			       field_id, CONFIG_IMA_DEFAULT_TEMPLATE);
> >> +			return 1;
> >> +		}
> >> +
> >> +		str_ptr = (str_ptr[len] == '|') ? str_ptr + len + 1 : NULL;
> >
> > Personally, I think it would be cleaner to use a 'for' loop.  Something
> > like: for (bufp = buf; bufp < bufend; bufp += len + 1)
> >
> 
> Hi Mimi
> 
> this solution will not work because it does not properly
> handle a string like 'validfield|'. Indeed, at the second
> iteration, you already reached the end of the string and
> exit without detecting a field identifier of length zero.

If this is the only issue, you could check the last character, before
entering the loop.

Mimi