Re: [PATCH v3 5/6] IMA: add hook to measure critical data from kernel components

[PATCH v3 0/6] IMA: Infrastructure for measurement of critical kernel data · Tushar Sugandhi <hidden> · 2020-08-28
[PATCH v3 6/6] IMA: validate supported kernel data sources before measurement · Tushar Sugandhi <hidden> · 2020-08-28
[PATCH v3 1/6] IMA: generalize keyring specific measurement constructs · Tushar Sugandhi <hidden> · 2020-08-28
Re: [PATCH v3 1/6] IMA: generalize keyring specific measurement constructs · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
Re: [PATCH v3 1/6] IMA: generalize keyring specific measurement constructs · Tushar Sugandhi <hidden> · 2020-09-11
[PATCH v3 5/6] IMA: add hook to measure critical data from kernel components · Tushar Sugandhi <hidden> · 2020-08-28
Re: [PATCH v3 5/6] IMA: add hook to measure critical data from kernel components · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
Re: [PATCH v3 5/6] IMA: add hook to measure critical data from kernel components · Tushar Sugandhi <hidden> · 2020-09-11
[PATCH v3 4/6] IMA: add policy to measure critical data from kernel components · Tushar Sugandhi <hidden> · 2020-08-28
Re: [PATCH v3 4/6] IMA: add policy to measure critical data from kernel components · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
Re: [PATCH v3 4/6] IMA: add policy to measure critical data from kernel components · Tushar Sugandhi <hidden> · 2020-09-11
[PATCH v3 2/6] IMA: change process_buffer_measurement return type from void to int · Tushar Sugandhi <hidden> · 2020-08-28
Re: [PATCH v3 2/6] IMA: change process_buffer_measurement return type from void to int · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
Re: [PATCH v3 2/6] IMA: change process_buffer_measurement return type from void to int · Tushar Sugandhi <hidden> · 2020-09-11
[PATCH v3 3/6] IMA: update process_buffer_measurement to measure buffer hash · Tushar Sugandhi <hidden> · 2020-08-28
Re: [PATCH v3 3/6] IMA: update process_buffer_measurement to measure buffer hash · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
Re: [PATCH v3 3/6] IMA: update process_buffer_measurement to measure buffer hash · Tushar Sugandhi <hidden> · 2020-09-11

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2020-08-31 18:24:12
Also in: dm-devel, linux-security-module, lkml, selinux

quoted hunk ↗ jump to hunk

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 52cbbc1f7ea2..a889bf40cb7e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c

@@ -869,6 +869,30 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
 	fdput(f);
 }
 
+/**
+ * ima_measure_critical_data - measure critical data
+ * @event_name: name for the given data
+ * @event_data_source: name of the event data source
+ * @buf: pointer to buffer containing data to measure
+ * @buf_len: length of buffer(in bytes)
+ * @measure_buf_hash: if set to true - will measure hash of the buf,
+ *                    instead of buf
+ *
+ * Buffers can only be measured, not appraised.
+ */
+int ima_measure_critical_data(const char *event_name,
+			      const char *event_data_source,
+			      const void *buf, int buf_len,
+			      bool measure_buf_hash)
+{
+	if (!event_name || !event_data_source || !buf || !buf_len)
+		return -EINVAL;
+
+	return process_buffer_measurement(NULL, buf, buf_len, event_name,
+					  CRITICAL_DATA, 0, event_data_source,
+					  measure_buf_hash);

This is exactly what I'm concerned about.  Failure to measure data may
be audited, but should never fail.

Mimi

+}

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help