Commit a810bfd8 authored by Roberto Sassu's avatar Roberto Sassu Committed by Zheng Zengkai
Browse files

ima: Introduce new hook DIGEST_LIST_CHECK 



hulk inclusion
category: feature
feature: IMA Digest Lists extension
bugzilla: 46797

-------------------------------------------------

This patch introduces a new hook called DIGEST_LIST_CHECK to measure
and appraise digest lists in addition to executables and shared libraries,
without including the FILE_CHECK hook in the IMA policy.

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent a27b9771

security/integrity/ima/ima.h

+2 −0
Original line number Diff line number Diff line
@@ -197,6 +197,7 @@ static inline unsigned int ima_hash_key(u8 *digest) 
	hook(POLICY_CHECK, policy)			\

	hook(KEXEC_CMDLINE, kexec_cmdline)		\

	hook(KEY_CHECK, key)				\

	hook(DIGEST_LIST_CHECK, digest_list)		\

	hook(MAX_CHECK, none)



#define __ima_hook_enumify(ENUM, str)	ENUM,
@@ -300,6 +301,7 @@ int ima_policy_show(struct seq_file *m, void *v); 
#define IMA_APPRAISE_FIRMWARE	0x10

#define IMA_APPRAISE_POLICY	0x20

#define IMA_APPRAISE_KEXEC	0x40

#define IMA_APPRAISE_DIGEST_LIST	0x80



#ifdef CONFIG_IMA_APPRAISE

int ima_check_blacklist(struct integrity_iint_cache *iint,

security/integrity/ima/ima_main.c

+2 −1
Original line number Diff line number Diff line
@@ -715,7 +715,8 @@ const int read_idmap[READING_MAX_ID] = { 
	[READING_MODULE] = MODULE_CHECK,

	[READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,

	[READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,

	[READING_POLICY] = POLICY_CHECK

	[READING_POLICY] = POLICY_CHECK,

	[READING_DIGEST_LIST] = DIGEST_LIST_CHECK

};



/**

security/integrity/ima/ima_policy.c

+8 −0
Original line number Diff line number Diff line
@@ -143,6 +143,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { 
	{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},

	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},

	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},

	{.action = MEASURE, .func = DIGEST_LIST_CHECK, .flags = IMA_FUNC},

};



static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
@@ -202,6 +203,8 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { 
	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

	{.action = APPRAISE, .func = POLICY_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

	{.action = APPRAISE, .func = DIGEST_LIST_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

};



/* An array of architecture specific rules */
@@ -701,6 +704,8 @@ static int ima_appraise_flag(enum ima_hooks func) 
		return IMA_APPRAISE_POLICY;

	else if (func == KEXEC_KERNEL_CHECK)

		return IMA_APPRAISE_KEXEC;

	else if (func == DIGEST_LIST_CHECK)

		return IMA_APPRAISE_DIGEST_LIST;

	return 0;

}
@@ -1065,6 +1070,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) 
	case POST_SETATTR:

	case FIRMWARE_CHECK:

	case POLICY_CHECK:

	case DIGEST_LIST_CHECK:

		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |

				     IMA_UID | IMA_FOWNER | IMA_FSUUID |

				     IMA_INMASK | IMA_EUID | IMA_PCR |
@@ -1238,6 +1244,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) 
			else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&

				 strcmp(args[0].from, "KEY_CHECK") == 0)

				entry->func = KEY_CHECK;

			else if (strcmp(args[0].from, "DIGEST_LIST_CHECK") == 0)

				entry->func = DIGEST_LIST_CHECK;

			else

				result = -EINVAL;

			if (!result)