| Message ID | 20210130004519.25106-4-tusharsu@linux.microsoft.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | support for duplicate measurement of integrity critical data | expand |
Hi Tushar, On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote: > diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c > > index c096ef8945c7..fbf359495fa8 100644 > --- a/security/integrity/ima/ima_queue.c > +++ b/security/integrity/ima/ima_queue.c > @@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) > */ > int ima_add_template_entry(struct ima_template_entry *entry, int violation, > const char *op, struct inode *inode, > - const unsigned char *filename) > + const unsigned char *filename, bool allow_dup) > { > u8 *digest = entry->digests[ima_hash_algo_idx].digest; > struct tpm_digestate_entry(struct ima_template_entry *entry, int violation, > > mutex_lock(&ima_extend_list_mutex); > if (!violation) { > - if (ima_lookup_digest_entry(digest, entry->pcr)) { > + if (!allow_dup && > + ima_lookup_digest_entry(digest, entry->pcr)) { Can't this change be simplified to "if (!violation && !allow_dup)"? Also perhaps instead of passing another variable "allow_dup" to each of these functions, pass a mask containing violation and allow_dup. > audit_cause = "hash_exists"; > result = -EEXIST; > goto out; thanks, Mimi
On 2021-02-08 12:24 p.m., Mimi Zohar wrote: > Hi Tushar, > > On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote: > >> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c >> >> index c096ef8945c7..fbf359495fa8 100644 >> --- a/security/integrity/ima/ima_queue.c >> +++ b/security/integrity/ima/ima_queue.c >> @@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) >> */ >> int ima_add_template_entry(struct ima_template_entry *entry, int violation, >> const char *op, struct inode *inode, >> - const unsigned char *filename) >> + const unsigned char *filename, bool allow_dup) >> { >> u8 *digest = entry->digests[ima_hash_algo_idx].digest; >> > struct tpm_digestate_entry(struct ima_template_entry *entry, int violation, Not sure I understand this. Maybe a typo? Could you please explain? >> >> mutex_lock(&ima_extend_list_mutex); >> if (!violation) { >> - if (ima_lookup_digest_entry(digest, entry->pcr)) { >> + if (!allow_dup && >> + ima_lookup_digest_entry(digest, entry->pcr)) { > > Can't this change be simplified to "if (!violation && !allow_dup)"? > Sure. Will do. Earlier I wasn't sure if 'violation' would touch any other use-cases inadvertently. That's why I localized the change as above. But now since we are supporting other scenarios as well, I believe "if (!violation && !allow_dup)" would be cleaner. > Also perhaps instead of passing another variable "allow_dup" to each of > these functions, pass a mask containing violation and allow_dup. > There were examples of both approaches in ima_match_policy(). - int *pcr/ima_template_desc **template_desc as an out-param; - and various actions as flags in return int. Earlier I couldn't decide one way or the other, so I picked the out-param approach. But since allow_dup is just a single bit info, returning it as a bit in the action flag is a cleaner solution. Will implement it with flag in the next iteration. Thanks again for reviewing the series. Really appreciate it. Thanks, Tushar >> audit_cause = "hash_exists"; >> result = -EEXIST; >> goto out; > > thanks, > > Mimi >
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 59324173497f..b06732560949 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -139,7 +139,7 @@ int ima_init(void); int ima_fs_init(void); int ima_add_template_entry(struct ima_template_entry *entry, int violation, const char *op, struct inode *inode, - const unsigned char *filename); + const unsigned char *filename, bool allow_dup); int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); int ima_calc_buffer_hash(const void *buf, loff_t len, struct ima_digest_data *hash); @@ -278,7 +278,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data, struct ima_template_desc *template_desc); int ima_store_template(struct ima_template_entry *entry, int violation, struct inode *inode, - const unsigned char *filename, int pcr); + const unsigned char *filename, int pcr, bool allow_dup); void ima_free_template_entry(struct ima_template_entry *entry); const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d273373e6be9..f84369f9905e 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -101,7 +101,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data, */ int ima_store_template(struct ima_template_entry *entry, int violation, struct inode *inode, - const unsigned char *filename, int pcr) + const unsigned char *filename, int pcr, bool allow_dup) { static const char op[] = "add_template_measure"; static const char audit_cause[] = "hashing_error"; @@ -119,7 +119,8 @@ int ima_store_template(struct ima_template_entry *entry, } } entry->pcr = pcr; - result = ima_add_template_entry(entry, violation, op, inode, filename); + result = ima_add_template_entry(entry, violation, op, inode, filename, + allow_dup); return result; } @@ -152,7 +153,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, goto err_out; } result = ima_store_template(entry, violation, inode, - filename, CONFIG_IMA_MEASURE_PCR_IDX); + filename, CONFIG_IMA_MEASURE_PCR_IDX, false); if (result < 0) ima_free_template_entry(entry); err_out: @@ -330,7 +331,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, return; } - result = ima_store_template(entry, violation, inode, filename, pcr); + result = ima_store_template(entry, violation, inode, filename, pcr, false); if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) { iint->flags |= IMA_MEASURED; iint->measured_pcrs |= (0x1 << pcr); diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 6e8742916d1d..d0a79d7b8d89 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -88,7 +88,7 @@ static int __init ima_add_boot_aggregate(void) result = ima_store_template(entry, violation, NULL, boot_aggregate_name, - CONFIG_IMA_MEASURE_PCR_IDX); + CONFIG_IMA_MEASURE_PCR_IDX, false); if (result < 0) { ima_free_template_entry(entry); audit_cause = "store_entry"; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 2774139845b6..ff6d15d7594c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -843,6 +843,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, int digest_hash_len = hash_digest_size[ima_hash_algo]; int violation = 0; int action = 0; + bool allow_dup = false; u32 secid; if (!ima_policy_flag) @@ -865,7 +866,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, if (func) { security_task_getsecid(current, &secid); action = ima_get_action(inode, current_cred(), secid, 0, func, - &pcr, &template, func_data, NULL); + &pcr, &template, func_data, &allow_dup); if (!(action & IMA_MEASURE)) return; } @@ -903,7 +904,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, goto out; } - ret = ima_store_template(entry, violation, NULL, event_data.buf, pcr); + ret = ima_store_template(entry, violation, NULL, event_data.buf, pcr, allow_dup); if (ret < 0) { audit_cause = "store_entry"; ima_free_template_entry(entry); diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index c096ef8945c7..fbf359495fa8 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) */ int ima_add_template_entry(struct ima_template_entry *entry, int violation, const char *op, struct inode *inode, - const unsigned char *filename) + const unsigned char *filename, bool allow_dup) { u8 *digest = entry->digests[ima_hash_algo_idx].digest; struct tpm_digest *digests_arg = entry->digests; @@ -169,7 +169,8 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, mutex_lock(&ima_extend_list_mutex); if (!violation) { - if (ima_lookup_digest_entry(digest, entry->pcr)) { + if (!allow_dup && + ima_lookup_digest_entry(digest, entry->pcr)) { audit_cause = "hash_exists"; result = -EEXIST; goto out;
process_buffer_measurement() and the underlying functions do not use the policy condition to measure duplicate buffer entries for integrity critical data. Update process_buffer_measurement(), ima_add_template_entry(), and ima_store_template() to use the policy condition to decide if a duplicate buffer entry for integrity critical data should be measured. Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> --- security/integrity/ima/ima.h | 4 ++-- security/integrity/ima/ima_api.c | 9 +++++---- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 5 +++-- security/integrity/ima/ima_queue.c | 5 +++-- 5 files changed, 14 insertions(+), 11 deletions(-)