!4927 ima: digest list new support modsig (f0a83d8e) · Commits · EulixOS / Software / Kernel

security/integrity/ima/ima_appraise.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -648,7 +648,8 @@ int ima_appraise_measurement(enum ima_hooks func,
		* are signed or found in a digest list (immutable)
		*/
		if (func == DIGEST_LIST_CHECK \|\| ima_current_is_parser()) {
		if (xattr_value->type == EVM_IMA_XATTR_DIGSIG)
		if (try_modsig \|\|
		xattr_value->type == EVM_IMA_XATTR_DIGSIG)
		break;
		if (found_digest &&
		ima_digest_is_immutable(found_digest))

security/integrity/ima/ima_digest_list.c

+31 −3

Original line number	Diff line number	Diff line
		@@ -24,6 +24,7 @@
		#include <linux/xattr.h>
		#include <linux/sched/mm.h>
		#include <linux/magic.h>
		#include <linux/module_signature.h>

		#include "ima.h"
		#include "ima_digest_list.h"
		@@ -152,6 +153,25 @@ static void ima_del_digest_data_entry(u8 *digest, enum hash_algo algo,
		kfree(d);
		}

		static size_t ima_get_compact_list_sig_len(loff_t size, void *buf)
		{
		const size_t marker_len = strlen(MODULE_SIG_STRING);
		const struct module_signature *sig;
		const void *p;

		if (size <= marker_len + sizeof(*sig))
		return 0;

		p = buf + size - marker_len;

		if (memcmp(p, MODULE_SIG_STRING, marker_len))
		return 0;

		sig = (const struct module_signature )(p - sizeof(sig));

		return be32_to_cpu(sig->sig_len) + marker_len + sizeof(*sig);
		}

		/***********************
		* Compact list parser *
		***********************/
		@@ -172,10 +192,19 @@ int ima_parse_compact_list(loff_t size, void *buf, int op)
		struct compact_list_hdr *hdr;
		size_t digest_len;
		int ret = 0, i;
		ssize_t sig_len;

		if (!(ima_digest_list_actions & ima_policy_flag))
		return -EACCES;

		sig_len = ima_get_compact_list_sig_len(size, buf);
		if (sig_len >= size) {
		pr_err("compact list, invalid signature\n");
		return -EINVAL;
		}

		bufendp -= sig_len;

		while (bufp < bufendp) {
		if (bufp + sizeof(*hdr) > bufendp) {
		pr_err("compact list, invalid data\n");
		@@ -235,7 +264,7 @@ int ima_parse_compact_list(loff_t size, void *buf, int op)
		}
		}

		return bufp - buf;
		return bufp - buf + sig_len;
		}

		/***************************
		@@ -269,8 +298,7 @@ void ima_check_measured_appraised(struct file *file)
		}

		if ((ima_digest_list_actions & IMA_APPRAISE) &&
		(!(iint->flags & IMA_APPRAISED) \|\|
		!test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
		(!(iint->flags & IMA_APPRAISED))) {
		pr_err("%s not appraised, disabling digest lists lookup for appraisal\n",
		file_dentry(file)->d_name.name);
		ima_digest_list_actions &= ~IMA_APPRAISE;

security/integrity/ima/ima_policy.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -276,7 +276,7 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
		.flags = IMA_FUNC \| IMA_DIGSIG_REQUIRED},
		#ifdef CONFIG_IMA_DIGEST_LIST
		{.action = APPRAISE, .func = DIGEST_LIST_CHECK,
		.flags = IMA_FUNC \| IMA_DIGSIG_REQUIRED},
		.flags = IMA_FUNC \| IMA_DIGSIG_REQUIRED \| IMA_MODSIG_ALLOWED},
		#endif
		};

		@@ -1418,7 +1418,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
		IMA_PERMIT_DIRECTIO \| IMA_VALIDATE_ALGOS \|
		#ifdef CONFIG_IMA_DIGEST_LIST
		IMA_CHECK_BLACKLIST \| IMA_VERITY_REQUIRED \|
		IMA_META_IMMUTABLE_REQUIRED \| IMA_PARSER))
		IMA_META_IMMUTABLE_REQUIRED \| IMA_PARSER \|
		IMA_MODSIG_ALLOWED))
		#else
		IMA_CHECK_BLACKLIST \| IMA_VERITY_REQUIRED))
		#endif