@@ -11,6 +11,7 @@
#include <linux/fs.h>
#include <linux/security.h>
#include <linux/kexec.h>
+#include <crypto/hash_info.h>
struct linux_binprm;
#ifdef CONFIG_IMA
@@ -36,7 +37,8 @@ extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);
extern void ima_measure_critical_data(const char *event_label,
const char *event_name,
const void *buf, size_t buf_len,
- bool hash);
+ bool hash, u8 *digest,
+ enum hash_algo *algo, bool *measured);
#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
extern void ima_appraise_parse_cmdline(void);
@@ -140,7 +142,9 @@ static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {
static inline void ima_measure_critical_data(const char *event_label,
const char *event_name,
const void *buf, size_t buf_len,
- bool hash) {}
+ bool hash, u8 *digest,
+ enum hash_algo *algo,
+ bool *measured) {}
#endif /* CONFIG_IMA */
@@ -268,7 +268,8 @@ void process_buffer_measurement(struct user_namespace *mnt_userns,
struct inode *inode, const void *buf, int size,
const char *eventname, enum ima_hooks func,
int pcr, const char *func_data,
- bool buf_hash);
+ bool buf_hash, u8 *digest, enum hash_algo *algo,
+ bool *measured);
void ima_audit_measurement(struct integrity_iint_cache *iint,
const unsigned char *filename);
int ima_alloc_init_template(struct ima_event_data *event_data,
@@ -357,7 +357,8 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
process_buffer_measurement(&init_user_ns, NULL, digest, digestsize,
"blacklisted-hash", NONE,
- pcr, NULL, false);
+ pcr, NULL, false, NULL, NULL,
+ NULL);
}
return rc;
@@ -62,5 +62,6 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
*/
process_buffer_measurement(&init_user_ns, NULL, payload, payload_len,
keyring->description, KEY_CHECK, 0,
- keyring->description, false);
+ keyring->description, false, NULL, NULL,
+ NULL);
}
@@ -154,7 +154,8 @@ int __init ima_init(void)
ima_init_key_queue();
ima_measure_critical_data("kernel_info", "kernel_version",
- UTS_RELEASE, strlen(UTS_RELEASE), false);
+ UTS_RELEASE, strlen(UTS_RELEASE), false, NULL,
+ NULL, NULL);
return rc;
}
@@ -833,6 +833,9 @@ int ima_post_load_data(char *buf, loff_t size,
* @pcr: pcr to extend the measurement
* @func_data: func specific data, may be NULL
* @buf_hash: measure buffer data hash
+ * @digest: buffer digest will be written to
+ * @algo: digest algorithm
+ * @measured: whether the buffer has been measured by IMA
*
* Based on policy, either the buffer data or buffer data hash is measured
*/
@@ -840,7 +843,8 @@ void process_buffer_measurement(struct user_namespace *mnt_userns,
struct inode *inode, const void *buf, int size,
const char *eventname, enum ima_hooks func,
int pcr, const char *func_data,
- bool buf_hash)
+ bool buf_hash, u8 *digest, enum hash_algo *algo,
+ bool *measured)
{
int ret = 0;
const char *audit_cause = "ENOMEM";
@@ -861,7 +865,7 @@ void process_buffer_measurement(struct user_namespace *mnt_userns,
int action = 0;
u32 secid;
- if (!ima_policy_flag)
+ if (!ima_policy_flag && (!digest || !algo || !measured))
return;
template = ima_template_desc_buf();
@@ -883,7 +887,7 @@ void process_buffer_measurement(struct user_namespace *mnt_userns,
action = ima_get_action(mnt_userns, inode, current_cred(),
secid, 0, func, &pcr, &template,
func_data);
- if (!(action & IMA_MEASURE))
+ if (!(action & IMA_MEASURE) && (!digest || !algo || !measured))
return;
}
@@ -914,6 +918,15 @@ void process_buffer_measurement(struct user_namespace *mnt_userns,
event_data.buf_len = digest_hash_len;
}
+ if (digest && algo) {
+ memcpy(digest, iint.ima_hash->digest,
+ hash_digest_size[ima_hash_algo]);
+ *algo = ima_hash_algo;
+ }
+
+ if (!(action & IMA_MEASURE))
+ return;
+
ret = ima_alloc_init_template(&event_data, &entry, template);
if (ret < 0) {
audit_cause = "alloc_entry";
@@ -924,8 +937,11 @@ void process_buffer_measurement(struct user_namespace *mnt_userns,
if (ret < 0) {
audit_cause = "store_entry";
ima_free_template_entry(entry);
+ goto out;
}
+ if (measured)
+ *measured = true;
out:
if (ret < 0)
integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, eventname,
@@ -956,7 +972,7 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
process_buffer_measurement(file_mnt_user_ns(f.file), file_inode(f.file),
buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0,
- NULL, false);
+ NULL, false, NULL, NULL, NULL);
fdput(f);
}
@@ -967,6 +983,9 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
* @buf: pointer to buffer data
* @buf_len: length of buffer data (in bytes)
* @hash: measure buffer data hash
+ * @digest: buffer digest will be written to
+ * @algo: digest algorithm
+ * @measured: whether the buffer has been measured by IMA
*
* Measure data critical to the integrity of the kernel into the IMA log
* and extend the pcr. Examples of critical data could be various data
@@ -976,14 +995,15 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
void ima_measure_critical_data(const char *event_label,
const char *event_name,
const void *buf, size_t buf_len,
- bool hash)
+ bool hash, u8 *digest, enum hash_algo *algo,
+ bool *measured)
{
if (!event_name || !event_label || !buf || !buf_len)
return;
process_buffer_measurement(&init_user_ns, NULL, buf, buf_len, event_name,
CRITICAL_DATA, 0, event_label,
- hash);
+ hash, digest, algo, measured);
}
static int __init init_ima(void)
@@ -165,7 +165,7 @@ void ima_process_queued_keys(void)
entry->keyring_name,
KEY_CHECK, 0,
entry->keyring_name,
- false);
+ false, NULL, NULL, NULL);
list_del(&entry->list);
ima_free_key_entry(entry);
}
@@ -86,7 +86,8 @@ void selinux_ima_measure_state_locked(struct selinux_state *state)
}
ima_measure_critical_data("selinux", "selinux-state",
- state_str, strlen(state_str), false);
+ state_str, strlen(state_str), false, NULL,
+ NULL, NULL);
kfree(state_str);
@@ -103,7 +104,7 @@ void selinux_ima_measure_state_locked(struct selinux_state *state)
}
ima_measure_critical_data("selinux", "selinux-policy-hash",
- policy, policy_len, true);
+ policy, policy_len, true, NULL, NULL, NULL);
vfree(policy);
}
ima_measure_critical_data() allows any caller in the kernel to provide a buffer, so that is measured by IMA if an appropriate policy is set. Some information that could be useful to the callers are the digest of the buffer included in the new measurement entry, the digest algorithm and whether the buffer was measured. This patch modifies the definition of ima_measure_critical_data() to include three new parameters: digest, algo and measured. If they are NULL, the function behaves as before and just measures the buffer, if requested with the IMA policy. Otherwise, it also writes the digest, algorithm and whether the buffer is measured to the provided pointers. If the pointers are not NULL, the digest is calculated also if there is no matching rule in the IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <stephen.smalley.work@gmail.com> Cc: selinux@vger.kernel.org Cc: Prakhar Srivastava <prsriva02@gmail.com> Cc: Tushar Sugandhi <tusharsu@linux.microsoft.com> Cc: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> --- include/linux/ima.h | 8 +++-- security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_appraise.c | 3 +- security/integrity/ima/ima_asymmetric_keys.c | 3 +- security/integrity/ima/ima_init.c | 3 +- security/integrity/ima/ima_main.c | 32 ++++++++++++++++---- security/integrity/ima/ima_queue_keys.c | 2 +- security/selinux/ima.c | 5 +-- 8 files changed, 44 insertions(+), 15 deletions(-)