This patch modifies existing IMA functions to retrieve the template name or format specified in a matched policy rule and provide it to ima_alloc_init_template(). The latter calls ima_get_template_desc() to obtain the template descriptor to use for creating a new measurement entry.
Signed-off-by: Roberto Sassu <roberto.sa...@polito.it>
---
security/integrity/ima/ima.h | 10 ++++++----
security/integrity/ima/ima_api.c | 23 ++++++++++++++---------
security/integrity/ima/ima_init.c | 2 +-
security/integrity/ima/ima_main.c | 9 ++++++---
security/integrity/ima/ima_policy.c | 7 ++++++-
5 files changed, 33 insertions(+), 18 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index f72c488..bc7668d 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -130,7 +130,8 @@ static inline unsigned long ima_hash_key(u8 *digest)
}
/* LIM API function definitions */
-int ima_get_action(struct inode *inode, int mask, int function);
+int ima_get_action(struct inode *inode, int mask, int function,
+ char **template_name, char **template_fmt);
int ima_must_measure(struct inode *inode, int mask, int function);
int ima_collect_measurement(struct integrity_iint_cache *iint,
struct file *file,
@@ -139,13 +140,14 @@ int ima_collect_measurement(struct integrity_iint_cache
*iint,
void ima_store_measurement(struct integrity_iint_cache *iint, struct file
*file,
const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len);
+ int xattr_len, struct ima_template_desc *desc);
void ima_audit_measurement(struct integrity_iint_cache *iint,
const unsigned char *filename);
int ima_alloc_init_template(struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len, struct ima_template_entry **entry);
+ int xattr_len, struct ima_template_desc *desc,
+ struct ima_template_entry **entry);
int ima_store_template(struct ima_template_entry *entry, int violation,
struct inode *inode, const unsigned char *filename);
const char *ima_d_path(struct path *path, char **pathbuf);
@@ -160,7 +162,7 @@ struct integrity_iint_cache *integrity_iint_find(struct
inode *inode);
enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK,
POST_SETATTR };
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
- int flags);
+ int flags, char **template_name, char **template_fmt);
void ima_init_policy(void);
void ima_update_policy(void);
ssize_t ima_parse_add_rule(char *);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index f10328d..da70074 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -27,12 +27,15 @@
int ima_alloc_init_template(struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len, struct ima_template_entry **entry)
+ int xattr_len, struct ima_template_desc *desc,
+ struct ima_template_entry **entry)
{
- struct ima_template_desc *template_desc;
+ struct ima_template_desc *template_desc = desc;
int i, result = 0;
- template_desc = ima_get_template_desc(NULL, NULL);
+ if (template_desc == NULL)
+ template_desc = ima_get_template_desc(NULL, NULL);
+
*entry = kzalloc(sizeof(**entry) + template_desc->num_fields *
sizeof(struct ima_field_data), GFP_NOFS);
if (!*entry)
@@ -127,7 +130,7 @@ void ima_add_violation(struct file *file, const unsigned
char *filename,
atomic_long_inc(&ima_htable.violations);
result = ima_alloc_init_template(NULL, file, filename,
- NULL, 0, &entry);
+ NULL, 0, NULL, &entry);
if (result < 0) {
result = -ENOMEM;
goto err_out;
@@ -156,19 +159,21 @@ err_out:
* Returns IMA_MEASURE, IMA_APPRAISE mask.
*
*/
-int ima_get_action(struct inode *inode, int mask, int function)
+int ima_get_action(struct inode *inode, int mask, int function,
+ char **template_name, char **template_fmt)
{
int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
if (!ima_appraise)
flags &= ~IMA_APPRAISE;
- return ima_match_policy(inode, function, mask, flags);
+ return ima_match_policy(inode, function, mask, flags,
+ template_name, template_fmt);
}
int ima_must_measure(struct inode *inode, int mask, int function)
{
- return ima_match_policy(inode, function, mask, IMA_MEASURE);
+ return ima_match_policy(inode, function, mask, IMA_MEASURE, NULL, NULL);
}
/*
@@ -245,7 +250,7 @@ int ima_collect_measurement(struct integrity_iint_cache
*iint,
void ima_store_measurement(struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len)
+ int xattr_len, struct ima_template_desc *desc)
{
const char *op = "add_template_measure";
const char *audit_cause = "ENOMEM";
@@ -258,7 +263,7 @@ void ima_store_measurement(struct integrity_iint_cache
*iint,
return;
result = ima_alloc_init_template(iint, file, filename,
- xattr_value, xattr_len, &entry);
+ xattr_value, xattr_len, desc, &entry);
if (result < 0) {
integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
op, audit_cause, result, 0);
diff --git a/security/integrity/ima/ima_init.c
b/security/integrity/ima/ima_init.c
index 15f34bd..8059ec9 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -69,7 +69,7 @@ static void __init ima_add_boot_aggregate(void)
}
result = ima_alloc_init_template(iint, NULL, boot_aggregate_name,
- NULL, 0, &entry);
+ NULL, 0, NULL, &entry);
if (result < 0)
return;
diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index 6e1d3db..d1f372e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -172,6 +172,7 @@ static int process_measurement(struct file *file, const
char *filename,
const char *pathname = NULL;
int rc = -ENOMEM, action, must_appraise, _func;
struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
+ char *custom_template_name = NULL, *custom_template_fmt = NULL;
int xattr_len = 0;
if (!ima_initialized || !S_ISREG(inode->i_mode))
@@ -181,7 +182,8 @@ static int process_measurement(struct file *file, const
char *filename,
* bitmask based on the appraise/audit/measurement policy.
* Included is the appraise submask.
*/
- action = ima_get_action(inode, mask, function);
+ action = ima_get_action(inode, mask, function,
+ &custom_template_name, &custom_template_fmt);
if (!action)
return 0;
@@ -211,7 +213,8 @@ static int process_measurement(struct file *file, const
char *filename,
goto out_digsig;
}
- template_desc = ima_get_template_desc(NULL, NULL);
+ template_desc = ima_get_template_desc(custom_template_name,
+ custom_template_fmt);
if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
if (action & IMA_APPRAISE_SUBMASK)
xattr_ptr = &xattr_value;
@@ -228,7 +231,7 @@ static int process_measurement(struct file *file, const
char *filename,
if (action & IMA_MEASURE)
ima_store_measurement(iint, file, pathname,
- xattr_value, xattr_len);
+ xattr_value, xattr_len, template_desc);
if (action & IMA_APPRAISE_SUBMASK)
rc = ima_appraise_measurement(_func, iint, file, pathname,
xattr_value, xattr_len);
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index df852ec..fee3dc1 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -261,7 +261,7 @@ static int get_subaction(struct ima_rule_entry *rule, int
func)
* change.)
*/
int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
- int flags)
+ int flags, char **template_name, char **template_fmt)
{
struct ima_rule_entry *entry;
int action = 0, actmask = flags | (flags << 1);
@@ -274,6 +274,11 @@ int ima_match_policy(struct inode *inode, enum ima_hooks
func, int mask,
if (!ima_match_rules(entry, inode, func, mask))
continue;
+ if (template_name)
+ *template_name = entry->template_name;
+ if (template_fmt)
+ *template_fmt = entry->template_fmt;
+
action |= entry->flags & IMA_ACTION_FLAGS;
action |= entry->action & IMA_DO_MASK;
--
1.8.1.4
smime.p7s
Description: S/MIME cryptographic signature
