Re: [PATCH v3 11/22] ima: define a new hook to measure and appraise a file already in memory
On Wed, Feb 3, 2016 at 9:06 PM, Mimi Zohar wrote:
> This patch defines a new IMA hook ima_post_read_file() for measuring
> and appraising files read by the kernel. The caller loads the file into
> memory before calling this function, which calculates the hash followed by
> the normal IMA policy based processing.
>
> Changelog v3:
> - rename ima_hash_and_process_file() to ima_post_read_file()
>
> v1:
> - To simplify patch review, separate the IMA changes from the kexec
> and initramfs changes in "ima: measure and appraise kexec image and
> initramfs" patch. This patch contains just the IMA changes. The
> kexec and initramfs changes are with the rest of the kexec changes
> in "kexec: replace call to copy_file_from_fd() with kernel version".
>
> Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
> ---
> include/linux/ima.h | 8 +++
> include/linux/security.h | 1 +
> security/integrity/ima/ima.h | 4 +++-
> security/integrity/ima/ima_api.c | 6 +++--
> security/integrity/ima/ima_appraise.c | 2 +-
> security/integrity/ima/ima_main.c | 45
> ---
> security/integrity/ima/ima_policy.c | 1 +
> security/integrity/integrity.h| 7 --
> security/security.c | 7 +-
> 9 files changed, 66 insertions(+), 15 deletions(-)
>
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 120ccc5..d29a6a2 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -20,6 +20,8 @@ extern void ima_file_free(struct file *file);
> extern int ima_file_mmap(struct file *file, unsigned long prot);
> extern int ima_module_check(struct file *file);
> extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
> +extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
> + enum kernel_read_file_id id);
>
> #else
> static inline int ima_bprm_check(struct linux_binprm *bprm)
> @@ -52,6 +54,12 @@ static inline int ima_fw_from_file(struct file *file, char
> *buf, size_t size)
> return 0;
> }
>
> +static inline int ima_post_read_file(struct file *file, void *buf, loff_t
> size,
> +enum kernel_read_file_id id)
> +{
> + return 0;
> +}
> +
> #endif /* CONFIG_IMA */
>
> #ifdef CONFIG_IMA_APPRAISE
> diff --git a/include/linux/security.h b/include/linux/security.h
> index b68ce94..d920718 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -24,6 +24,7 @@
>
> #include
> #include
> +#include
> #include
> #include
> #include
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 2c5262f..0b7134c 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -19,6 +19,7 @@
>
> #include
> #include
> +#include
> #include
> #include
> #include
> @@ -152,7 +153,8 @@ enum ima_hooks {
> int ima_get_action(struct inode *inode, int mask, enum ima_hooks func);
> int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
> int ima_collect_measurement(struct integrity_iint_cache *iint,
> - struct file *file, enum hash_algo algo);
> + struct file *file, void *buf, loff_t size,
> + enum hash_algo algo);
> void ima_store_measurement(struct integrity_iint_cache *iint, struct file
> *file,
>const unsigned char *filename,
>struct evm_ima_xattr_data *xattr_value,
> diff --git a/security/integrity/ima/ima_api.c
> b/security/integrity/ima/ima_api.c
> index 8750254..370e42d 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -188,7 +188,8 @@ int ima_get_action(struct inode *inode, int mask, enum
> ima_hooks func)
> * Return 0 on success, error code otherwise
> */
> int ima_collect_measurement(struct integrity_iint_cache *iint,
> - struct file *file, enum hash_algo algo)
> + struct file *file, void *buf, loff_t size,
> + enum hash_algo algo)
> {
> const char *audit_cause = "failed";
> struct inode *inode = file_inode(file);
> @@ -210,7 +211,8 @@ int ima_collect_measurement(struct integrity_iint_cache
> *iint,
>
> hash.hdr.algo = algo;
>
> - result = ima_calc_file_hash(file, &hash.hdr);
> + result = (!buf) ? ima_calc_file_hash(file, &hash.hdr) :
> + ima_calc_buffer_hash(buf, size, &hash.hdr);
> if (!result) {
> int length = sizeof(hash.hdr) + hash.hdr.length;
> void *tmpbuf = krealloc(iint->ima_hash, length,
> diff --git a/security/integrity/ima/ima_appraise.c
> b/security/integrity/ima/ima_appraise.c
> index 2888449..cb0d0ff 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/securit
[PATCH v3 11/22] ima: define a new hook to measure and appraise a file already in memory
This patch defines a new IMA hook ima_post_read_file() for measuring
and appraising files read by the kernel. The caller loads the file into
memory before calling this function, which calculates the hash followed by
the normal IMA policy based processing.
Changelog v3:
- rename ima_hash_and_process_file() to ima_post_read_file()
v1:
- To simplify patch review, separate the IMA changes from the kexec
and initramfs changes in "ima: measure and appraise kexec image and
initramfs" patch. This patch contains just the IMA changes. The
kexec and initramfs changes are with the rest of the kexec changes
in "kexec: replace call to copy_file_from_fd() with kernel version".
Signed-off-by: Mimi Zohar
---
include/linux/ima.h | 8 +++
include/linux/security.h | 1 +
security/integrity/ima/ima.h | 4 +++-
security/integrity/ima/ima_api.c | 6 +++--
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_main.c | 45 ---
security/integrity/ima/ima_policy.c | 1 +
security/integrity/integrity.h| 7 --
security/security.c | 7 +-
9 files changed, 66 insertions(+), 15 deletions(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 120ccc5..d29a6a2 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -20,6 +20,8 @@ extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long prot);
extern int ima_module_check(struct file *file);
extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
+extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
+ enum kernel_read_file_id id);
#else
static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -52,6 +54,12 @@ static inline int ima_fw_from_file(struct file *file, char
*buf, size_t size)
return 0;
}
+static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,
+enum kernel_read_file_id id)
+{
+ return 0;
+}
+
#endif /* CONFIG_IMA */
#ifdef CONFIG_IMA_APPRAISE
diff --git a/include/linux/security.h b/include/linux/security.h
index b68ce94..d920718 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -24,6 +24,7 @@
#include
#include
+#include
#include
#include
#include
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 2c5262f..0b7134c 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -19,6 +19,7 @@
#include
#include
+#include
#include
#include
#include
@@ -152,7 +153,8 @@ enum ima_hooks {
int ima_get_action(struct inode *inode, int mask, enum ima_hooks func);
int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
int ima_collect_measurement(struct integrity_iint_cache *iint,
- struct file *file, enum hash_algo algo);
+ struct file *file, void *buf, loff_t size,
+ enum hash_algo algo);
void ima_store_measurement(struct integrity_iint_cache *iint, struct file
*file,
const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 8750254..370e42d 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -188,7 +188,8 @@ int ima_get_action(struct inode *inode, int mask, enum
ima_hooks func)
* Return 0 on success, error code otherwise
*/
int ima_collect_measurement(struct integrity_iint_cache *iint,
- struct file *file, enum hash_algo algo)
+ struct file *file, void *buf, loff_t size,
+ enum hash_algo algo)
{
const char *audit_cause = "failed";
struct inode *inode = file_inode(file);
@@ -210,7 +211,8 @@ int ima_collect_measurement(struct integrity_iint_cache
*iint,
hash.hdr.algo = algo;
- result = ima_calc_file_hash(file, &hash.hdr);
+ result = (!buf) ? ima_calc_file_hash(file, &hash.hdr) :
+ ima_calc_buffer_hash(buf, size, &hash.hdr);
if (!result) {
int length = sizeof(hash.hdr) + hash.hdr.length;
void *tmpbuf = krealloc(iint->ima_hash, length,
diff --git a/security/integrity/ima/ima_appraise.c
b/security/integrity/ima/ima_appraise.c
index 2888449..cb0d0ff 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -300,7 +300,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint,
struct file *file)
if (iint->flags & IMA_DIGSIG)
return;
- rc = ima_collect_measurement(iint, file, ima_hash_algo);
+ rc = ima_collect_measurement(iint, file, NULL, 0
