提交 5a44b412 编写于 作者: M Mimi Zohar

ima: add support for different security.ima data types

IMA-appraisal currently verifies the integrity of a file based on a
known 'good' measurement value.  This patch reserves the first byte
of 'security.ima' as a place holder for the type of method used for
verifying file data integrity.

Changelog v1:
- Use the newly defined 'struct evm_ima_xattr_data'
Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@nokia.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
上级 42c63330
......@@ -147,8 +147,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
if (!(iint->flags & IMA_COLLECTED)) {
u64 i_version = file->f_dentry->d_inode->i_version;
memset(iint->digest, 0, IMA_DIGEST_SIZE);
result = ima_calc_hash(file, iint->digest);
iint->ima_xattr.type = IMA_XATTR_DIGEST;
result = ima_calc_hash(file, iint->ima_xattr.digest);
if (!result) {
iint->version = i_version;
iint->flags |= IMA_COLLECTED;
......@@ -196,7 +196,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
return;
}
memset(&entry->template, 0, sizeof(entry->template));
memcpy(entry->template.digest, iint->digest, IMA_DIGEST_SIZE);
memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
strcpy(entry->template.file_name,
(strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
file->f_dentry->d_name.name : filename);
......
......@@ -45,9 +45,9 @@ int ima_must_appraise(struct inode *inode, enum ima_hooks func, int mask)
static void ima_fix_xattr(struct dentry *dentry,
struct integrity_iint_cache *iint)
{
iint->digest[0] = IMA_XATTR_DIGEST;
__vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
iint->digest, IMA_DIGEST_SIZE + 1, 0);
iint->ima_xattr.type = IMA_XATTR_DIGEST;
__vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr,
sizeof iint->ima_xattr, 0);
}
/*
......@@ -63,7 +63,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
{
struct dentry *dentry = file->f_dentry;
struct inode *inode = dentry->d_inode;
u8 xattr_value[IMA_DIGEST_SIZE];
struct evm_ima_xattr_data xattr_value;
enum integrity_status status = INTEGRITY_UNKNOWN;
const char *op = "appraise_data";
char *cause = "unknown";
......@@ -77,8 +77,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
if (iint->flags & IMA_APPRAISED)
return iint->ima_status;
rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, xattr_value,
IMA_DIGEST_SIZE);
rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value,
sizeof xattr_value);
if (rc <= 0) {
if (rc && rc != -ENODATA)
goto out;
......@@ -89,7 +89,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
goto out;
}
status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
status = evm_verifyxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value,
rc, iint);
if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
if ((status == INTEGRITY_NOLABEL)
|| (status == INTEGRITY_NOXATTRS))
......@@ -99,14 +100,16 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
goto out;
}
rc = memcmp(xattr_value, iint->digest, IMA_DIGEST_SIZE);
rc = memcmp(xattr_value.digest, iint->ima_xattr.digest,
IMA_DIGEST_SIZE);
if (rc) {
status = INTEGRITY_FAIL;
cause = "invalid-hash";
print_hex_dump_bytes("security.ima: ", DUMP_PREFIX_NONE,
xattr_value, IMA_DIGEST_SIZE);
&xattr_value, sizeof xattr_value);
print_hex_dump_bytes("collected: ", DUMP_PREFIX_NONE,
iint->digest, IMA_DIGEST_SIZE);
(u8 *)&iint->ima_xattr,
sizeof iint->ima_xattr);
goto out;
}
status = INTEGRITY_PASS;
......
......@@ -39,7 +39,7 @@ struct integrity_iint_cache {
struct inode *inode; /* back pointer to inode in question */
u64 version; /* track inode changes */
unsigned char flags;
u8 digest[SHA1_DIGEST_SIZE];
struct evm_ima_xattr_data ima_xattr;
enum integrity_status ima_status;
enum integrity_status evm_status;
};
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册