Commit 7c9d18bc authored by Zhang Tianxing's avatar Zhang Tianxing Committed by Zheng Zengkai
Browse files

ima: Add max size for IMA digest database 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I409K9


CVE: NA

-----------------------------------------------------------------

This patch sets max size for IMA digest database to prevent OOM.

A __ro_after_init global variable ima_digest_db_max_size is used to set
the maximum data uploaded to digest database.

Another global variable ima_digest_db_size records the data uploaded to
kernel digest database and increments when uploading digest lists.

Signed-off-by: default avatarZhang Tianxing <zhangtianxing3@huawei.com>
Reviewed-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 986ac499

Documentation/admin-guide/kernel-parameters.txt

+4 −0
Original line number Diff line number Diff line
@@ -1777,6 +1777,10 @@ 
			with PCR 10, according to the existing behavior.

			Format: { [+]<unsigned int> }



	ima_digest_db_size=nn[M]

			[IMA]

			Sets the maximum data uploaded to IMA digest database.



	ima_hash=	[IMA]

			Format: { md5 | sha1 | rmd160 | sha256 | sha384

				   | sha512 | ... }

arch/arm64/configs/openeuler_defconfig

+5 −0
Original line number Diff line number Diff line
@@ -6419,6 +6419,11 @@ CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" 
# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set

CONFIG_IMA_DIGEST_LIST=y

CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists"

# CONFIG_IMA_MIN_DIGEST_DB_SIZE is not set

CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y

# CONFIG_IMA_MAX_DIGEST_DB_SIZE is not set

# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set

CONFIG_IMA_DIGEST_DB_SIZE=16

CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"

CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y

CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

arch/x86/configs/openeuler_defconfig

+5 −0
Original line number Diff line number Diff line
@@ -7788,6 +7788,11 @@ CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" 
# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set

CONFIG_IMA_DIGEST_LIST=y

CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists"

# CONFIG_IMA_MIN_DIGEST_DB_SIZE is not set

CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y

# CONFIG_IMA_MAX_DIGEST_DB_SIZE is not set

# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set

CONFIG_IMA_DIGEST_DB_SIZE=16

CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"

CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y

CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

security/integrity/ima/Kconfig

+27 −0
Original line number Diff line number Diff line
@@ -353,6 +353,33 @@ config IMA_DIGEST_LISTS_DIR 
	   This option defines the path of the directory containing digest

	   lists.



choice

	prompt "Defalut maximum data uploaded to the IMA digest database"

	default IMA_STANDARD_DIGEST_DB_SIZE

	depends on IMA_DIGEST_LIST

	help

	  This option defines the maximum data uploaded to the IMA digest

	  database. The compiled default limit can be overwritten using the

	  kernel command line "ima_digest_db_size".



	config IMA_MIN_DIGEST_DB_SIZE

		bool "minimum"

	config IMA_STANDARD_DIGEST_DB_SIZE

		bool "standard (default)"

	config IMA_MAX_DIGEST_DB_SIZE

		bool "maximum"

	config IMA_CUSTOM_DIGEST_DB_SIZE

		bool "custom"

endchoice



config IMA_DIGEST_DB_MEGABYTES

	int

	depends on IMA_DIGEST_LIST

	range 8 64

	default 8 if IMA_MIN_DIGEST_DB_SIZE

	default 16 if IMA_STANDARD_DIGEST_DB_SIZE

	default 64 if IMA_MAX_DIGEST_DB_SIZE



config IMA_PARSER_BINARY_PATH

	string "Path of the parser binary"

	depends on IMA_DIGEST_LIST

security/integrity/ima/ima.h

+4 −0
Original line number Diff line number Diff line
@@ -57,6 +57,10 @@ extern int ima_digest_list_pcr; 
extern bool ima_plus_standard_pcr;

extern const char boot_aggregate_name[];

extern int ima_digest_list_actions;

#ifdef CONFIG_IMA_DIGEST_LIST

extern size_t ima_digest_db_max_size __ro_after_init;

extern size_t ima_digest_db_size;

#endif



/* IMA event related data */

struct ima_event_data {