Commit b89997c5 authored by Gu Bowen's avatar Gu Bowen
Browse files

IMA support script execution check 

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/IAZ996
CVE: NA

Reference: https://lore.kernel.org/linux-integrity/9e3df65c2bf060b5833558e9f8d82dcd2fe9325a.camel@huaweicloud.com/



----------------------------------------------------------------------

Support ima measure and appraise the indirect script calls. If script exec
check is enabled, it will call ima_bprm_check() through
security_bprm_creds_for_exec().

Signed-off-by: default avatarHuaxin Lu <luhuaxin1@huawei.com>
Signed-off-by: default avatarGu Bowen <gubowen5@huawei.com>
parent 4e597f8e

include/linux/ima.h

+1 −0
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ struct linux_binprm; 
#ifdef CONFIG_IMA

extern enum hash_algo ima_get_current_hash_algo(void);

extern int ima_bprm_check(struct linux_binprm *bprm);

extern int ima_bprm_creds_for_exec(struct linux_binprm *bprm);

extern int ima_file_check(struct file *file, int mask);

extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,

				    struct inode *inode);

security/integrity/ima/ima_main.c

+11 −0
Original line number Diff line number Diff line
@@ -638,6 +638,17 @@ int ima_bprm_check(struct linux_binprm *bprm) 
				   MAY_EXEC, CREDS_CHECK);

}



/**

 * ima_bprm_creds_for_exec - ima support exec check.

 */

int ima_bprm_creds_for_exec(struct linux_binprm *bprm)

{

	if (!bprm->is_check)

		return 0;



	return ima_bprm_check(bprm);

}



/**

 * ima_file_check - based on policy, collect/store measurement.

 * @file: pointer to the file to be measured

security/security.c

+6 −1
Original line number Diff line number Diff line
@@ -1063,7 +1063,12 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) 
 */

int security_bprm_creds_for_exec(struct linux_binprm *bprm)

{

	return call_int_hook(bprm_creds_for_exec, 0, bprm);

	int ret;



	ret = call_int_hook(bprm_creds_for_exec, 0, bprm);

	if (ret)

		return ret;

	return ima_bprm_creds_for_exec(bprm);

}



/**