Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cf222217 authored by Mimi Zohar's avatar Mimi Zohar
Browse files

ima: define a new hook to measure and appraise a file already in memory 



This patch defines a new IMA hook ima_post_read_file() for measuring
and appraising files read by the kernel. The caller loads the file into
memory before calling this function, which calculates the hash followed by
the normal IMA policy based processing.

Changelog v5:
- fail ima_post_read_file() if either file or buf is NULL
v3:
- rename ima_hash_and_process_file() to ima_post_read_file()

v1:
- split patch

Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
parent 98304bcf

include/linux/ima.h

+8 −0
Original line number Diff line number Diff line
@@ -20,6 +20,8 @@ extern void ima_file_free(struct file *file); 
extern int ima_file_mmap(struct file *file, unsigned long prot);

extern int ima_module_check(struct file *file);

extern int ima_fw_from_file(struct file *file, char *buf, size_t size);

extern int ima_post_read_file(struct file *file, void *buf, loff_t size,

			      enum kernel_read_file_id id);



#else

static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -52,6 +54,12 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) 
	return 0;

}



static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,

				     enum kernel_read_file_id id)

{

	return 0;

}



#endif /* CONFIG_IMA */



#ifdef CONFIG_IMA_APPRAISE

include/linux/security.h

+1 −0
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ 


#include <linux/key.h>

#include <linux/capability.h>

#include <linux/fs.h>

#include <linux/slab.h>

#include <linux/err.h>

#include <linux/string.h>

security/integrity/ima/ima.h

+3 −1
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ 


#include <linux/types.h>

#include <linux/crypto.h>

#include <linux/fs.h>

#include <linux/security.h>

#include <linux/hash.h>

#include <linux/tpm.h>
@@ -152,7 +153,8 @@ enum ima_hooks { 
int ima_get_action(struct inode *inode, int mask, enum ima_hooks func);

int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);

int ima_collect_measurement(struct integrity_iint_cache *iint,

			    struct file *file, enum hash_algo algo);

			    struct file *file, void *buf, loff_t size,

			    enum hash_algo algo);

void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,

			   const unsigned char *filename,

			   struct evm_ima_xattr_data *xattr_value,

security/integrity/ima/ima_api.c

+4 −2
Original line number Diff line number Diff line
@@ -188,7 +188,8 @@ int ima_get_action(struct inode *inode, int mask, enum ima_hooks func) 
 * Return 0 on success, error code otherwise

 */

int ima_collect_measurement(struct integrity_iint_cache *iint,

			    struct file *file, enum hash_algo algo)

			    struct file *file, void *buf, loff_t size,

			    enum hash_algo algo)

{

	const char *audit_cause = "failed";

	struct inode *inode = file_inode(file);
@@ -210,7 +211,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, 


		hash.hdr.algo = algo;



		result = ima_calc_file_hash(file, &hash.hdr);

		result = (!buf) ?  ima_calc_file_hash(file, &hash.hdr) :

			ima_calc_buffer_hash(buf, size, &hash.hdr);

		if (!result) {

			int length = sizeof(hash.hdr) + hash.hdr.length;

			void *tmpbuf = krealloc(iint->ima_hash, length,

security/integrity/ima/ima_appraise.c

+1 −1
Original line number Diff line number Diff line
@@ -300,7 +300,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) 
	if (iint->flags & IMA_DIGSIG)

		return;



	rc = ima_collect_measurement(iint, file, ima_hash_algo);

	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo);

	if (rc < 0)

		return;