| Message ID | 1570497267-13672-6-git-send-email-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | powerpc: Enabling IMA arch specific secure boot policies | expand |
| Context | Check | Description |
|---|---|---|
| snowpatch_ozlabs/apply_patch | success | Successfully applied on branch next (6edfc6487b474fe01857dc3f1a9cd701bb9b21c8) |
| snowpatch_ozlabs/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 68 lines checked |
[Cc'ing Prakhar Srivastava] On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote: > An additional measurement record is needed to indicate the blacklisted > binary. The record will measure the blacklisted binary hash. > > This patch makes the function process_buffer_measurement() generic to be > called by the blacklisting function. It modifies the function to handle > more than just the KEXEC_CMDLINE. The purpose of this patch is to make process_buffer_measurement() more generic. The patch description should simply say, process_buffer_measurement() is limited to measuring the kexec boot command line. This patch makes process_buffer_measurement() more generic, allowing it to measure other types of buffer data (eg. blacklisted binary hashes). Mimi > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > --- > security/integrity/ima/ima.h | 3 +++ > security/integrity/ima/ima_main.c | 29 ++++++++++++++--------------- > 2 files changed, 17 insertions(+), 15 deletions(-) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index 3689081aaf38..ed86c1f70d7f 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -217,6 +217,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, > struct evm_ima_xattr_data *xattr_value, > int xattr_len, const struct modsig *modsig, int pcr, > struct ima_template_desc *template_desc); > +void process_buffer_measurement(const void *buf, int size, > + const char *eventname, int pcr, > + struct ima_template_desc *template_desc); > void ima_audit_measurement(struct integrity_iint_cache *iint, > const unsigned char *filename); > int ima_alloc_init_template(struct ima_event_data *event_data, > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 60027c643ecd..77115e884496 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -626,14 +626,14 @@ int ima_load_data(enum kernel_load_data_id id) > * @buf: pointer to the buffer that needs to be added to the log. > * @size: size of buffer(in bytes). > * @eventname: event name to be used for the buffer entry. > - * @cred: a pointer to a credentials structure for user validation. > - * @secid: the secid of the task to be validated. > + * @pcr: pcr to extend the measurement > + * @template_desc: template description > * > * Based on policy, the buffer is measured into the ima log. > */ > -static void process_buffer_measurement(const void *buf, int size, > - const char *eventname, > - const struct cred *cred, u32 secid) > +void process_buffer_measurement(const void *buf, int size, > + const char *eventname, int pcr, > + struct ima_template_desc *template_desc) > { > int ret = 0; > struct ima_template_entry *entry = NULL; > @@ -642,19 +642,11 @@ static void process_buffer_measurement(const void *buf, int size, > .filename = eventname, > .buf = buf, > .buf_len = size}; > - struct ima_template_desc *template_desc = NULL; > struct { > struct ima_digest_data hdr; > char digest[IMA_MAX_DIGEST_SIZE]; > } hash = {}; > int violation = 0; > - int pcr = CONFIG_IMA_MEASURE_PCR_IDX; > - int action = 0; > - > - action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr, > - &template_desc); > - if (!(action & IMA_MEASURE)) > - return; > > iint.ima_hash = &hash.hdr; > iint.ima_hash->algo = ima_hash_algo; > @@ -686,12 +678,19 @@ static void process_buffer_measurement(const void *buf, int size, > */ > void ima_kexec_cmdline(const void *buf, int size) > { > + int pcr = CONFIG_IMA_MEASURE_PCR_IDX; > + struct ima_template_desc *template_desc = NULL; > + int action; > u32 secid; > > if (buf && size != 0) { > security_task_getsecid(current, &secid); > - process_buffer_measurement(buf, size, "kexec-cmdline", > - current_cred(), secid); > + action = ima_get_action(NULL, current_cred(), secid, 0, > + KEXEC_CMDLINE, &pcr, &template_desc); > + if (!(action & IMA_MEASURE)) > + return; > + process_buffer_measurement(buf, size, "kexec-cmdline", pcr, > + template_desc); > } > } >
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3689081aaf38..ed86c1f70d7f 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -217,6 +217,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, struct evm_ima_xattr_data *xattr_value, int xattr_len, const struct modsig *modsig, int pcr, struct ima_template_desc *template_desc); +void process_buffer_measurement(const void *buf, int size, + const char *eventname, int pcr, + struct ima_template_desc *template_desc); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); int ima_alloc_init_template(struct ima_event_data *event_data, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 60027c643ecd..77115e884496 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -626,14 +626,14 @@ int ima_load_data(enum kernel_load_data_id id) * @buf: pointer to the buffer that needs to be added to the log. * @size: size of buffer(in bytes). * @eventname: event name to be used for the buffer entry. - * @cred: a pointer to a credentials structure for user validation. - * @secid: the secid of the task to be validated. + * @pcr: pcr to extend the measurement + * @template_desc: template description * * Based on policy, the buffer is measured into the ima log. */ -static void process_buffer_measurement(const void *buf, int size, - const char *eventname, - const struct cred *cred, u32 secid) +void process_buffer_measurement(const void *buf, int size, + const char *eventname, int pcr, + struct ima_template_desc *template_desc) { int ret = 0; struct ima_template_entry *entry = NULL; @@ -642,19 +642,11 @@ static void process_buffer_measurement(const void *buf, int size, .filename = eventname, .buf = buf, .buf_len = size}; - struct ima_template_desc *template_desc = NULL; struct { struct ima_digest_data hdr; char digest[IMA_MAX_DIGEST_SIZE]; } hash = {}; int violation = 0; - int pcr = CONFIG_IMA_MEASURE_PCR_IDX; - int action = 0; - - action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr, - &template_desc); - if (!(action & IMA_MEASURE)) - return; iint.ima_hash = &hash.hdr; iint.ima_hash->algo = ima_hash_algo; @@ -686,12 +678,19 @@ static void process_buffer_measurement(const void *buf, int size, */ void ima_kexec_cmdline(const void *buf, int size) { + int pcr = CONFIG_IMA_MEASURE_PCR_IDX; + struct ima_template_desc *template_desc = NULL; + int action; u32 secid; if (buf && size != 0) { security_task_getsecid(current, &secid); - process_buffer_measurement(buf, size, "kexec-cmdline", - current_cred(), secid); + action = ima_get_action(NULL, current_cred(), secid, 0, + KEXEC_CMDLINE, &pcr, &template_desc); + if (!(action & IMA_MEASURE)) + return; + process_buffer_measurement(buf, size, "kexec-cmdline", pcr, + template_desc); } }
An additional measurement record is needed to indicate the blacklisted binary. The record will measure the blacklisted binary hash. This patch makes the function process_buffer_measurement() generic to be called by the blacklisting function. It modifies the function to handle more than just the KEXEC_CMDLINE. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- security/integrity/ima/ima.h | 3 +++ security/integrity/ima/ima_main.c | 29 ++++++++++++++--------------- 2 files changed, 17 insertions(+), 15 deletions(-)