integrity: define a new function integrity_read_file() (e3c4abbf) · Commits · e / devices / android_kernel_fairphone_FP3

security/integrity/iint.c

+78 −0

Original line number	Original line	Diff line number	Diff line
	@@ -19,6 +19,8 @@
	#include <linux/module.h>		#include <linux/module.h>
	#include <linux/spinlock.h>		#include <linux/spinlock.h>
	#include <linux/rbtree.h>		#include <linux/rbtree.h>
			#include <linux/file.h>
			#include <linux/uaccess.h>
	#include "integrity.h"		#include "integrity.h"

	static struct rb_root integrity_iint_tree = RB_ROOT;		static struct rb_root integrity_iint_tree = RB_ROOT;
	@@ -167,3 +169,79 @@ static int __init integrity_iintcache_init(void)
	return 0;		return 0;
	}		}
	security_initcall(integrity_iintcache_init);		security_initcall(integrity_iintcache_init);


			/*
			* integrity_kernel_read - read data from the file
			*
			* This is a function for reading file content instead of kernel_read().
			* It does not perform locking checks to ensure it cannot be blocked.
			* It does not perform security checks because it is irrelevant for IMA.
			*
			*/
			int integrity_kernel_read(struct file *file, loff_t offset,
			char *addr, unsigned long count)
			{
			mm_segment_t old_fs;
			char __user buf = (char __user )addr;
			ssize_t ret = -EINVAL;

			if (!(file->f_mode & FMODE_READ))
			return -EBADF;

			old_fs = get_fs();
			set_fs(get_ds());
			if (file->f_op->read)
			ret = file->f_op->read(file, buf, count, &offset);
			else if (file->f_op->aio_read)
			ret = do_sync_read(file, buf, count, &offset);
			else if (file->f_op->read_iter)
			ret = new_sync_read(file, buf, count, &offset);
			set_fs(old_fs);
			return ret;
			}

			/*
			* integrity_read_file - read entire file content into the buffer
			*
			* This is function opens a file, allocates the buffer of required
			* size, read entire file content to the buffer and closes the file
			*
			* It is used only by init code.
			*
			*/
			int __init integrity_read_file(const char path, char *data)
			{
			struct file *file;
			loff_t size;
			char *buf;
			int rc = -EINVAL;

			file = filp_open(path, O_RDONLY, 0);
			if (IS_ERR(file)) {
			rc = PTR_ERR(file);
			pr_err("Unable to open file: %s (%d)", path, rc);
			return rc;
			}

			size = i_size_read(file_inode(file));
			if (size <= 0)
			goto out;

			buf = kmalloc(size, GFP_KERNEL);
			if (!buf) {
			rc = -ENOMEM;
			goto out;
			}

			rc = integrity_kernel_read(file, 0, buf, size);
			if (rc < 0)
			kfree(buf);
			else if (rc != size)
			rc = -EIO;
			else
			*data = buf;
			out:
			fput(file);
			return rc;
			}

security/integrity/ima/ima_crypto.c

+3 −32

Original line number	Original line	Diff line number	Diff line
	@@ -67,36 +67,6 @@ MODULE_PARM_DESC(ahash_bufsize, "Maximum ahash buffer size");
	static struct crypto_shash *ima_shash_tfm;		static struct crypto_shash *ima_shash_tfm;
	static struct crypto_ahash *ima_ahash_tfm;		static struct crypto_ahash *ima_ahash_tfm;

	/**
	* ima_kernel_read - read file content
	*
	* This is a function for reading file content instead of kernel_read().
	* It does not perform locking checks to ensure it cannot be blocked.
	* It does not perform security checks because it is irrelevant for IMA.
	*
	*/
	static int ima_kernel_read(struct file *file, loff_t offset,
	char *addr, unsigned long count)
	{
	mm_segment_t old_fs;
	char __user *buf = addr;
	ssize_t ret = -EINVAL;

	if (!(file->f_mode & FMODE_READ))
	return -EBADF;

	old_fs = get_fs();
	set_fs(get_ds());
	if (file->f_op->read)
	ret = file->f_op->read(file, buf, count, &offset);
	else if (file->f_op->aio_read)
	ret = do_sync_read(file, buf, count, &offset);
	else if (file->f_op->read_iter)
	ret = new_sync_read(file, buf, count, &offset);
	set_fs(old_fs);
	return ret;
	}

	int __init ima_init_crypto(void)		int __init ima_init_crypto(void)
	{		{
	long rc;		long rc;
	@@ -324,7 +294,8 @@ static int ima_calc_file_hash_atfm(struct file *file,
	}		}
	/* read buffer */		/* read buffer */
	rbuf_len = min_t(loff_t, i_size - offset, rbuf_size[active]);		rbuf_len = min_t(loff_t, i_size - offset, rbuf_size[active]);
	rc = ima_kernel_read(file, offset, rbuf[active], rbuf_len);		rc = integrity_kernel_read(file, offset, rbuf[active],
			rbuf_len);
	if (rc != rbuf_len)		if (rc != rbuf_len)
	goto out3;		goto out3;

	@@ -417,7 +388,7 @@ static int ima_calc_file_hash_tfm(struct file *file,
	while (offset < i_size) {		while (offset < i_size) {
	int rbuf_len;		int rbuf_len;

	rbuf_len = ima_kernel_read(file, offset, rbuf, PAGE_SIZE);		rbuf_len = integrity_kernel_read(file, offset, rbuf, PAGE_SIZE);
	if (rbuf_len < 0) {		if (rbuf_len < 0) {
	rc = rbuf_len;		rc = rbuf_len;
	break;		break;

security/integrity/integrity.h

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -119,6 +119,10 @@ struct integrity_iint_cache {
	*/		*/
	struct integrity_iint_cache integrity_iint_find(struct inode inode);		struct integrity_iint_cache integrity_iint_find(struct inode inode);

			int integrity_kernel_read(struct file *file, loff_t offset,
			char *addr, unsigned long count);
			int __init integrity_read_file(const char path, char *data);

	#define INTEGRITY_KEYRING_EVM 0		#define INTEGRITY_KEYRING_EVM 0
	#define INTEGRITY_KEYRING_MODULE 1		#define INTEGRITY_KEYRING_MODULE 1
	#define INTEGRITY_KEYRING_IMA 2		#define INTEGRITY_KEYRING_IMA 2