Commit 5fbe16a6 authored by Roberto Sassu's avatar Roberto Sassu Committed by zgzxx
Browse files

ima: Execute parser to upload digest lists not recognizable by the kernel 

euleros inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I91FSN


CVE: NA

---------------------------

This patch limits the digest lists processed by the kernel by excluding
those that are not in the compact format. The patch then executes the
user space parsers to process the skipped digest lists.

v4
 - context adapt security/integrity/ima/Kconfig for 6.6 kernel

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Acked-by: default avatarHanjun Guo <guohanjun@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: default avatarzhoushuiqing <zhoushuiqing2@huawei.com>
Signed-off-by: default avatarzhangguangzhi <zhangguangzhi3@huawei.com>
parent 0d1eb7af

security/integrity/ima/Kconfig

+7 −0
Original line number Diff line number Diff line
@@ -337,4 +337,11 @@ config IMA_DIGEST_LISTS_DIR 
	   This option defines the path of the directory containing digest

	   lists.



config IMA_PARSER_BINARY_PATH

	string "Path of the parser binary"

	depends on IMA_DIGEST_LIST

	default "/usr/bin/upload_digest_lists"

	help

	   This option defines the path of the parser binary.



endif

security/integrity/ima/ima_digest_list.c

+34 −4
Original line number Diff line number Diff line
@@ -266,7 +266,7 @@ struct readdir_callback { 
	struct path *path;

};



static int __init load_digest_list(struct dir_context *__ctx, const char *name,

static bool __init load_digest_list(struct dir_context *__ctx, const char *name,

				   int namelen, loff_t offset, u64 ino,

				   unsigned int d_type)

{
@@ -275,16 +275,33 @@ static int __init load_digest_list(struct dir_context *__ctx, const char *name, 
	struct dentry *dentry;

	struct file *file;

	u8 *xattr_value = NULL;

	char *type_start, *format_start, *format_end;

	void *datap = NULL;

	loff_t size;

	int ret;



	if (!strcmp(name, ".") || !strcmp(name, ".."))

		return 0;

		return true;



	type_start = strchr(name, '-');

	if (!type_start)

		return true;



	format_start = strchr(type_start + 1, '-');

	if (!format_start)

		return true;



	format_end = strchr(format_start + 1, '-');

	if (!format_end)

		return true;



	if (format_end - format_start - 1 != strlen("compact") ||

	    strncmp(format_start + 1, "compact", format_end - format_start - 1))

		return true;



	dentry = lookup_one_len(name, dir->dentry, strlen(name));

	if (IS_ERR(dentry))

		return 0;

		return true;



	size = vfs_getxattr(&nop_mnt_idmap, dentry, XATTR_NAME_EVM, NULL, 0);

	if (size < 0) {
@@ -320,7 +337,18 @@ static int __init load_digest_list(struct dir_context *__ctx, const char *name, 
	fput(file);

out:

	kfree(xattr_value);

	return 0;

	return true;

}



static void ima_exec_parser(void)

{

	char *argv[4] = {NULL}, *envp[1] = {NULL};



	argv[0] = (char *)CONFIG_IMA_PARSER_BINARY_PATH;

	argv[1] = "add";

	argv[2] = (char *)CONFIG_IMA_DIGEST_LISTS_DIR;



	call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);

}



void __init ima_load_digest_lists(void)
@@ -348,6 +376,8 @@ void __init ima_load_digest_lists(void) 
	fput(file);

out:

	path_put(&path);



	ima_exec_parser();

}



/****************