Commit ca3c9bdb authored by Roberto Sassu's avatar Roberto Sassu Committed by Mimi Zohar
Browse files

ima: Add digest and digest_len params to the functions to measure a buffer 



This patch performs the final modification necessary to pass the buffer
measurement to callers, so that they provide a functionality similar to
ima_file_hash(). It adds the 'digest' and 'digest_len' parameters to
ima_measure_critical_data() and process_buffer_measurement().

These functions calculate the digest even if there is no suitable rule in
the IMA policy and, in this case, they simply return 1 before generating a
new measurement entry.

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: default avatarLakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent ce5bb5a8

include/linux/ima.h

+3 −2
Original line number Diff line number Diff line
@@ -38,7 +38,7 @@ extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); 
extern int ima_measure_critical_data(const char *event_label,

				     const char *event_name,

				     const void *buf, size_t buf_len,

				     bool hash);

				     bool hash, u8 *digest, size_t digest_len);



#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM

extern void ima_appraise_parse_cmdline(void);
@@ -147,7 +147,8 @@ static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) { 
static inline int ima_measure_critical_data(const char *event_label,

					     const char *event_name,

					     const void *buf, size_t buf_len,

					     bool hash)

					     bool hash, u8 *digest,

					     size_t digest_len)

{

	return -ENOENT;

}

security/integrity/ima/ima.h

+1 −1
Original line number Diff line number Diff line
@@ -268,7 +268,7 @@ int process_buffer_measurement(struct user_namespace *mnt_userns, 
			       struct inode *inode, const void *buf, int size,

			       const char *eventname, enum ima_hooks func,

			       int pcr, const char *func_data,

			       bool buf_hash);

			       bool buf_hash, u8 *digest, size_t digest_len);

void ima_audit_measurement(struct integrity_iint_cache *iint,

			   const unsigned char *filename);

int ima_alloc_init_template(struct ima_event_data *event_data,

security/integrity/ima/ima_appraise.c

+1 −1
Original line number Diff line number Diff line
@@ -357,7 +357,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint, 
		if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))

			process_buffer_measurement(&init_user_ns, NULL, digest, digestsize,

						   "blacklisted-hash", NONE,

						   pcr, NULL, false);

						   pcr, NULL, false, NULL, 0);

	}



	return rc;

security/integrity/ima/ima_asymmetric_keys.c

+1 −1
Original line number Diff line number Diff line
@@ -62,5 +62,5 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, 
	 */

	process_buffer_measurement(&init_user_ns, NULL, payload, payload_len,

				   keyring->description, KEY_CHECK, 0,

				   keyring->description, false);

				   keyring->description, false, NULL, 0);

}

security/integrity/ima/ima_init.c

+2 −1
Original line number Diff line number Diff line
@@ -154,7 +154,8 @@ int __init ima_init(void) 
	ima_init_key_queue();



	ima_measure_critical_data("kernel_info", "kernel_version",

				  UTS_RELEASE, strlen(UTS_RELEASE), false);

				  UTS_RELEASE, strlen(UTS_RELEASE), false,

				  NULL, 0);



	return rc;

}