From b2582aace4d5b5b7cf92520904bc8f31eeec05bd Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Wed, 3 Mar 2021 08:44:24 +0100
Subject: [PATCH] ima: Execute parser to upload digest lists not recognizable
 by the kernel

hulk inclusion
category: feature
feature: IMA Digest Lists extension
bugzilla: 46797

---------------------------

This patch limits the digest lists processed by the kernel by excluding
those that are not in the compact format. The patch then executes the
user space parsers to process the skipped digest lists.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 security/integrity/ima/Kconfig           |  7 ++++++
 security/integrity/ima/ima_digest_list.c | 30 ++++++++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index fa432e4f9684..81ab5e348e8c 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -352,3 +352,10 @@ config IMA_DIGEST_LISTS_DIR
 	help
 	   This option defines the path of the directory containing digest
 	   lists.
+
+config IMA_PARSER_BINARY_PATH
+	string "Path of the parser binary"
+	depends on IMA_DIGEST_LIST
+	default "/usr/bin/upload_digest_lists"
+	help
+	   This option defines the path of the parser binary.
diff --git a/security/integrity/ima/ima_digest_list.c b/security/integrity/ima/ima_digest_list.c
index 9eb1950dea58..53262495201d 100644
--- a/security/integrity/ima/ima_digest_list.c
+++ b/security/integrity/ima/ima_digest_list.c
@@ -274,6 +274,7 @@ static int __init load_digest_list(struct dir_context *__ctx, const char *name,
 	struct dentry *dentry;
 	struct file *file;
 	u8 *xattr_value = NULL;
+	char *type_start, *format_start, *format_end;
 	void *datap = NULL;
 	loff_t size;
 	int ret;
@@ -281,6 +282,22 @@ static int __init load_digest_list(struct dir_context *__ctx, const char *name,
 	if (!strcmp(name, ".") || !strcmp(name, ".."))
 		return 0;
 
+	type_start = strchr(name, '-');
+	if (!type_start)
+		return 0;
+
+	format_start = strchr(type_start + 1, '-');
+	if (!format_start)
+		return 0;
+
+	format_end = strchr(format_start + 1, '-');
+	if (!format_end)
+		return 0;
+
+	if (format_end - format_start - 1 != strlen("compact") ||
+	    strncmp(format_start + 1, "compact", format_end - format_start - 1))
+		return 0;
+
 	dentry = lookup_one_len(name, dir->dentry, strlen(name));
 	if (IS_ERR(dentry))
 		return 0;
@@ -322,6 +339,17 @@ static int __init load_digest_list(struct dir_context *__ctx, const char *name,
 	return 0;
 }
 
+static void ima_exec_parser(void)
+{
+	char *argv[4] = {NULL}, *envp[1] = {NULL};
+
+	argv[0] = (char *)CONFIG_IMA_PARSER_BINARY_PATH;
+	argv[1] = "add";
+	argv[2] = (char *)CONFIG_IMA_DIGEST_LISTS_DIR;
+
+	call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
+}
+
 void __init ima_load_digest_lists(void)
 {
 	struct path path;
@@ -347,6 +375,8 @@ void __init ima_load_digest_lists(void)
 	fput(file);
 out:
 	path_put(&path);
+
+	ima_exec_parser();
 }
 
 /****************
-- 
GitLab