From patchwork Tue Nov 7 10:37:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 10046257 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 55BDA6031B for ; Tue, 7 Nov 2017 10:44:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 388CD290EF for ; Tue, 7 Nov 2017 10:44:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2BAFE29B6B; Tue, 7 Nov 2017 10:44:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CF1622A10C for ; Tue, 7 Nov 2017 10:44:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752488AbdKGKnu (ORCPT ); Tue, 7 Nov 2017 05:43:50 -0500 Received: from lhrrgout.huawei.com ([194.213.3.17]:39780 "EHLO lhrrgout.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750770AbdKGKnr (ORCPT ); Tue, 7 Nov 2017 05:43:47 -0500 Received: from 172.18.7.190 (EHLO lhreml701-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DZI57275; Tue, 07 Nov 2017 10:43:45 +0000 (GMT) Received: from localhost.localdomain (10.204.65.254) by smtpsuk.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.361.1; Tue, 7 Nov 2017 10:43:37 +0000 From: Roberto Sassu To: CC: , , , , , Roberto Sassu Subject: [PATCH v2 09/15] ima: introduce securityfs interfaces for digest lists Date: Tue, 7 Nov 2017 11:37:04 +0100 Message-ID: <20171107103710.10883-10-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171107103710.10883-1-roberto.sassu@huawei.com> References: <20171107103710.10883-1-roberto.sassu@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.204.65.254] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.5A018E61.0104, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: e35f46c1ddcb5826f12f0aef757133cb Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch introduces the file 'digest_lists' in the securityfs filesystem, to load digest lists metadata. IMA will parse the metadata and load the digest lists from the path provided. It also introduces 'digests_count', to show the number of digests stored in the ima_digests_htable hash table. Signed-off-by: Roberto Sassu Changelog v1: - Deny upload of digest lists if no policy is loaded --- security/integrity/ima/ima_fs.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 4158ced5d3c9..1ed717d94487 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -34,11 +34,15 @@ static struct dentry *ascii_runtime_measurements; static struct dentry *runtime_measurements_count; static struct dentry *violations; static struct dentry *ima_policy; +static struct dentry *digest_lists; +static struct dentry *digests_count; static enum kernel_read_file_id ima_get_file_id(struct dentry *dentry) { if (dentry == ima_policy) return READING_POLICY; + else if (dentry == digest_lists) + return READING_DIGEST_LIST_METADATA; return READING_UNKNOWN; } @@ -66,6 +70,8 @@ static ssize_t ima_show_htable_value(struct file *filp, char __user *buf, val = &ima_htable.violations; else if (filp->f_path.dentry == runtime_measurements_count) val = &ima_htable.len; + else if (filp->f_path.dentry == digests_count) + val = &ima_digests_htable.len; len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val)); return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); @@ -301,6 +307,9 @@ static ssize_t ima_read_file(char *path, enum kernel_read_file_id file_id) pr_debug("rule: %s\n", p); rc = ima_parse_add_rule(p); + } else if (file_id == READING_DIGEST_LIST_METADATA) { + rc = ima_parse_digest_list_metadata(size, datap); + datap += rc; } if (rc < 0) break; @@ -401,7 +410,8 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp) read_allowed = true; seq_ops = &ima_policy_seqops; #endif - } + } else if (file_id == READING_DIGEST_LIST_METADATA && !ima_policy_flag) + return -EACCES; if (!(filp->f_flags & O_WRONLY)) { if (!read_allowed) @@ -510,8 +520,22 @@ int __init ima_fs_init(void) if (IS_ERR(ima_policy)) goto out; +#ifdef CONFIG_IMA_DIGEST_LIST + digest_lists = securityfs_create_file("digest_lists", S_IWUSR, ima_dir, + NULL, &ima_data_upload_ops); + if (IS_ERR(digest_lists)) + goto out; + + digests_count = securityfs_create_file("digests_count", + S_IRUSR | S_IRGRP, ima_dir, + NULL, &ima_htable_value_ops); + if (IS_ERR(digests_count)) + goto out; +#endif return 0; out: + securityfs_remove(digests_count); + securityfs_remove(digest_lists); securityfs_remove(violations); securityfs_remove(runtime_measurements_count); securityfs_remove(ascii_runtime_measurements);