This patch modifies existing IMA functions to retrieve the template name or format specified in a matched policy rule and provide it to ima_alloc_init_template(). The latter calls ima_get_template_desc() to obtain the template descriptor to use for creating a new measurement entry.
Signed-off-by: Roberto Sassu <roberto.sa...@polito.it> --- security/integrity/ima/ima.h | 10 ++++++---- security/integrity/ima/ima_api.c | 23 ++++++++++++++--------- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 9 ++++++--- security/integrity/ima/ima_policy.c | 7 ++++++- 5 files changed, 33 insertions(+), 18 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f72c488..bc7668d 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -130,7 +130,8 @@ static inline unsigned long ima_hash_key(u8 *digest) } /* LIM API function definitions */ -int ima_get_action(struct inode *inode, int mask, int function); +int ima_get_action(struct inode *inode, int mask, int function, + char **template_name, char **template_fmt); int ima_must_measure(struct inode *inode, int mask, int function); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, @@ -139,13 +140,14 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, - int xattr_len); + int xattr_len, struct ima_template_desc *desc); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); int ima_alloc_init_template(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, - int xattr_len, struct ima_template_entry **entry); + int xattr_len, struct ima_template_desc *desc, + struct ima_template_entry **entry); int ima_store_template(struct ima_template_entry *entry, int violation, struct inode *inode, const unsigned char *filename); const char *ima_d_path(struct path *path, char **pathbuf); @@ -160,7 +162,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK, POST_SETATTR }; int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, - int flags); + int flags, char **template_name, char **template_fmt); void ima_init_policy(void); void ima_update_policy(void); ssize_t ima_parse_add_rule(char *); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index f10328d..da70074 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -27,12 +27,15 @@ int ima_alloc_init_template(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, - int xattr_len, struct ima_template_entry **entry) + int xattr_len, struct ima_template_desc *desc, + struct ima_template_entry **entry) { - struct ima_template_desc *template_desc; + struct ima_template_desc *template_desc = desc; int i, result = 0; - template_desc = ima_get_template_desc(NULL, NULL); + if (template_desc == NULL) + template_desc = ima_get_template_desc(NULL, NULL); + *entry = kzalloc(sizeof(**entry) + template_desc->num_fields * sizeof(struct ima_field_data), GFP_NOFS); if (!*entry) @@ -127,7 +130,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, atomic_long_inc(&ima_htable.violations); result = ima_alloc_init_template(NULL, file, filename, - NULL, 0, &entry); + NULL, 0, NULL, &entry); if (result < 0) { result = -ENOMEM; goto err_out; @@ -156,19 +159,21 @@ err_out: * Returns IMA_MEASURE, IMA_APPRAISE mask. * */ -int ima_get_action(struct inode *inode, int mask, int function) +int ima_get_action(struct inode *inode, int mask, int function, + char **template_name, char **template_fmt) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; if (!ima_appraise) flags &= ~IMA_APPRAISE; - return ima_match_policy(inode, function, mask, flags); + return ima_match_policy(inode, function, mask, flags, + template_name, template_fmt); } int ima_must_measure(struct inode *inode, int mask, int function) { - return ima_match_policy(inode, function, mask, IMA_MEASURE); + return ima_match_policy(inode, function, mask, IMA_MEASURE, NULL, NULL); } /* @@ -245,7 +250,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, - int xattr_len) + int xattr_len, struct ima_template_desc *desc) { const char *op = "add_template_measure"; const char *audit_cause = "ENOMEM"; @@ -258,7 +263,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, return; result = ima_alloc_init_template(iint, file, filename, - xattr_value, xattr_len, &entry); + xattr_value, xattr_len, desc, &entry); if (result < 0) { integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, op, audit_cause, result, 0); diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 15f34bd..8059ec9 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -69,7 +69,7 @@ static void __init ima_add_boot_aggregate(void) } result = ima_alloc_init_template(iint, NULL, boot_aggregate_name, - NULL, 0, &entry); + NULL, 0, NULL, &entry); if (result < 0) return; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 6e1d3db..d1f372e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -172,6 +172,7 @@ static int process_measurement(struct file *file, const char *filename, const char *pathname = NULL; int rc = -ENOMEM, action, must_appraise, _func; struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL; + char *custom_template_name = NULL, *custom_template_fmt = NULL; int xattr_len = 0; if (!ima_initialized || !S_ISREG(inode->i_mode)) @@ -181,7 +182,8 @@ static int process_measurement(struct file *file, const char *filename, * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(inode, mask, function); + action = ima_get_action(inode, mask, function, + &custom_template_name, &custom_template_fmt); if (!action) return 0; @@ -211,7 +213,8 @@ static int process_measurement(struct file *file, const char *filename, goto out_digsig; } - template_desc = ima_get_template_desc(NULL, NULL); + template_desc = ima_get_template_desc(custom_template_name, + custom_template_fmt); if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { if (action & IMA_APPRAISE_SUBMASK) xattr_ptr = &xattr_value; @@ -228,7 +231,7 @@ static int process_measurement(struct file *file, const char *filename, if (action & IMA_MEASURE) ima_store_measurement(iint, file, pathname, - xattr_value, xattr_len); + xattr_value, xattr_len, template_desc); if (action & IMA_APPRAISE_SUBMASK) rc = ima_appraise_measurement(_func, iint, file, pathname, xattr_value, xattr_len); diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index df852ec..fee3dc1 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -261,7 +261,7 @@ static int get_subaction(struct ima_rule_entry *rule, int func) * change.) */ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, - int flags) + int flags, char **template_name, char **template_fmt) { struct ima_rule_entry *entry; int action = 0, actmask = flags | (flags << 1); @@ -274,6 +274,11 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, if (!ima_match_rules(entry, inode, func, mask)) continue; + if (template_name) + *template_name = entry->template_name; + if (template_fmt) + *template_fmt = entry->template_fmt; + action |= entry->flags & IMA_ACTION_FLAGS; action |= entry->action & IMA_DO_MASK; -- 1.8.1.4
smime.p7s
Description: S/MIME cryptographic signature