Re: [PATCH 2/3] IMA:Define a new template field buf
From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2019-06-19 15:07:22
Also in:
linux-integrity, lkml
On Mon, 2019-06-17 at 11:35 -0700, Prakhar Srivastava wrote:
A buffer(kexec boot command line arguments) measured into IMA measuremnt list cannot be appraised, without already being aware of the buffer contents. Since hashes are non-reversible, raw buffer is needed for validation or regenerating hash for appraisal/attestation. Add support to store/read the buffer contents in HEX. The kexec cmdline hash is stored in the "d-ng" field of the template data,it can be verified using sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum - Add two new fields to ima_event_data to hold the buf and buf_len [Suggested by Roberto] - Add a new temaplte field 'buf' to be used to store/read the buffer data.[Suggested by Mimi] - Updated process_buffer_meaurement to add the buffer to ima_event_data. process_buffer_measurement added in "Define a new IMA hook to measure the boot command line arguments" - Add a new template policy name ima-buf to represent 'd-ng|n-ng|buf' Signed-off-by: Prakhar Srivastava <redacted> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: James Morris <redacted>
Thanks, looking much better.
quoted hunk ↗ jump to hunk
/* IMA template field data definition */diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index ea7d8cbf712f..83ca99d65e4b 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c@@ -140,7 +140,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, struct ima_template_entry *entry; struct inode *inode = file_inode(file); struct ima_event_data event_data = {iint, file, filename, NULL, 0, - cause}; + cause, NULL, 0}; int violation = 1; int result;@@ -296,7 +296,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct inode *inode = file_inode(file); struct ima_template_entry *entry; struct ima_event_data event_data = {iint, file, filename, xattr_value, - xattr_len, NULL}; + xattr_len, NULL, NULL, 0}; int violation = 0; if (iint->measured_pcrs & (0x1 << pcr))diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 993d0f1915ff..c8591406c0e2 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c@@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void) struct ima_template_entry *entry; struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, - NULL, 0, NULL}; + NULL, 0, NULL, NULL, 0}; int result = -ENOMEM; int violation = 0; struct {
These changes shouldn't be necessary. Please rebase these patches on top of the latest next-queued-testing branch (git remote update). "IMA: support for per policy rule template formats" is still changing. Minor nit. When re-posting the patches please update the patch titles so that there is a space between the subsystem name and the patch title (eg. "ima: define ..."). Mimi