ima: Execute parser to upload digest lists not recognizable by the kernel

hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 --------------------------- This patch limits the digest lists processed by the kernel by excluding those that are not in the compact format. The patch then executes the user space parsers to process the skipped digest lists. Signed-off-by: N Roberto Sassu <roberto.sassu@huawei.com> Acked-by: N Hanjun Guo <guohanjun@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

ima: Execute parser to upload digest lists not recognizable by the kernel
hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 --------------------------- This patch limits the digest lists processed by the kernel by excluding those that are not in the compact format. The patch then executes the user space parsers to process the skipped digest lists. Signed-off-by: N Roberto Sassu <roberto.sassu@huawei.com> Acked-by: N Hanjun Guo <guohanjun@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
b2582aac · Roberto Sassu · Zheng Zengkai · 9835140e · b2582aac · b2582aac
显示空白变更内容
内联并排

Showing with 37 addition and 0 deletion

security/integrity/ima/Kconfig security/integrity/ima/Kconfig +7 -0

security/integrity/ima/ima_digest_list.c security/integrity/ima/ima_digest_list.c +30 -0

未找到文件。
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -352,3 +352,10 @@ config IMA_DIGEST_LISTS_DIR
 	help
 	   This option defines the path of the directory containing digest
 	   lists.
+config IMA_PARSER_BINARY_PATH
+	string "Path of the parser binary"
+	depends on IMA_DIGEST_LIST
+	default "/usr/bin/upload_digest_lists"
+	help
+	   This option defines the path of the parser binary.
--- a/security/integrity/ima/ima_digest_list.c
+++ b/security/integrity/ima/ima_digest_list.c
@@ -274,6 +274,7 @@ static int __init load_digest_list(struct dir_context *__ctx, const char *name,
 	struct dentry *dentry;
 	struct file *file;
 	u8 *xattr_value = NULL;
+	char *type_start, *format_start, *format_end;
 	void *datap = NULL;
 	loff_t size;
 	int ret;
@@ -281,6 +282,22 @@ static int __init load_digest_list(struct dir_context *__ctx, const char *name,
 	if (!strcmp(name, ".") || !strcmp(name, ".."))
 		return 0;
+	type_start = strchr(name, '-');
+	if (!type_start)
+		return 0;
+	format_start = strchr(type_start + 1, '-');
+	if (!format_start)
+		return 0;
+	format_end = strchr(format_start + 1, '-');
+	if (!format_end)
+		return 0;
+	if (format_end - format_start - 1 != strlen("compact") ||
+	    strncmp(format_start + 1, "compact", format_end - format_start - 1))
+		return 0;
 	dentry = lookup_one_len(name, dir->dentry, strlen(name));
 	if (IS_ERR(dentry))
 		return 0;
@@ -322,6 +339,17 @@ static int __init load_digest_list(struct dir_context *__ctx, const char *name,
 	return 0;
 }
+static void ima_exec_parser(void)
+{
+	char *argv[4] = {NULL}, *envp[1] = {NULL};
+	argv[0] = (char *)CONFIG_IMA_PARSER_BINARY_PATH;
+	argv[1] = "add";
+	argv[2] = (char *)CONFIG_IMA_DIGEST_LISTS_DIR;
+	call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
+}
 void __init ima_load_digest_lists(void)
 {
 	struct path path;
@@ -347,6 +375,8 @@ void __init ima_load_digest_lists(void)
 	fput(file);
 out:
 	path_put(&path);
+	ima_exec_parser();
 }
 /****************