Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8d94eb9b authored by Roberto Sassu's avatar Roberto Sassu Committed by Mimi Zohar
Browse files

ima: pass iint to ima_add_violation() 



This patch adds the iint associated to the current inode as a new
parameter of ima_add_violation(). The passed iint is always not NULL
if a violation is detected. This modification will be used to determine
the inode for which there is a violation.

Since the 'd' and 'd-ng' template field init() functions were detecting
a violation from the value of the iint pointer, they now check the new
field 'violation', added to the 'ima_event_data' structure.

Changelog:
 - v1:
   - modified an old comment (Roberto Sassu)

Signed-off-by: default avatarRoberto Sassu <rsassu@suse.de>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent 23b57419

security/integrity/ima/ima.h

+2 −0
Original line number Diff line number Diff line
@@ -59,6 +59,7 @@ struct ima_event_data { 
	const unsigned char *filename;

	struct evm_ima_xattr_data *xattr_value;

	int xattr_len;

	const char *violation;

};



/* IMA template field data definition */
@@ -110,6 +111,7 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data, 
			      struct ima_digest_data *hash);

int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);

void ima_add_violation(struct file *file, const unsigned char *filename,

		       struct integrity_iint_cache *iint,

		       const char *op, const char *cause);

int ima_init_crypto(void);

void ima_putc(struct seq_file *m, void *data, int datalen);

security/integrity/ima/ima_api.c

+5 −3
Original line number Diff line number Diff line
@@ -126,11 +126,13 @@ int ima_store_template(struct ima_template_entry *entry, 
 * value is invalidated.

 */

void ima_add_violation(struct file *file, const unsigned char *filename,

		       struct integrity_iint_cache *iint,

		       const char *op, const char *cause)

{

	struct ima_template_entry *entry;

	struct inode *inode = file_inode(file);

	struct ima_event_data event_data = {NULL, file, filename, NULL, 0};

	struct ima_event_data event_data = {iint, file, filename, NULL, 0,

					    cause};

	int violation = 1;

	int result;
@@ -264,8 +266,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, 
	int result = -ENOMEM;

	struct inode *inode = file_inode(file);

	struct ima_template_entry *entry;

	struct ima_event_data event_data = {iint, file, filename,

					    xattr_value, xattr_len};

	struct ima_event_data event_data = {iint, file, filename, xattr_value,

					    xattr_len, NULL};

	int violation = 0;



	if (iint->flags & IMA_MEASURED)

security/integrity/ima/ima_init.c

+1 −1
Original line number Diff line number Diff line
@@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void) 
	struct ima_template_entry *entry;

	struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;

	struct ima_event_data event_data = {iint, NULL, boot_aggregate_name,

					    NULL, 0};

					    NULL, 0, NULL};

	int result = -ENOMEM;

	int violation = 0;

	struct {

security/integrity/ima/ima_main.c

+3 −2
Original line number Diff line number Diff line
@@ -106,9 +106,10 @@ static void ima_rdwr_violation_check(struct file *file, 
	*pathname = ima_d_path(&file->f_path, pathbuf);



	if (send_tomtou)

		ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU");

		ima_add_violation(file, *pathname, iint,

				  "invalid_pcr", "ToMToU");

	if (send_writers)

		ima_add_violation(file, *pathname,

		ima_add_violation(file, *pathname, iint,

				  "invalid_pcr", "open_writers");

}

security/integrity/ima/ima_template_lib.c

+2 −3
Original line number Diff line number Diff line
@@ -209,7 +209,7 @@ int ima_eventdigest_init(struct ima_event_data *event_data, 


	memset(&hash, 0, sizeof(hash));



	if (!event_data->iint)		/* recording a violation. */

	if (event_data->violation)	/* recording a violation. */

		goto out;



	if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) {
@@ -247,8 +247,7 @@ int ima_eventdigest_ng_init(struct ima_event_data *event_data, 
	u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;

	u32 cur_digestsize = 0;



	/* If iint is NULL, we are recording a violation. */

	if (!event_data->iint)

	if (event_data->violation)	/* recording a violation. */

		goto out;



	cur_digest = event_data->iint->ima_hash->digest;