IMA: Add audit log for failure conditions (34e980bb) · Commits · 戴 / test

security/integrity/ima/ima.h

+32 −16

Original line number	Diff line number	Diff line
		@@ -187,26 +187,42 @@ static inline unsigned int ima_hash_key(u8 *digest)
		}

		#define __ima_hooks(hook) \
		hook(NONE) \
		hook(FILE_CHECK) \
		hook(MMAP_CHECK) \
		hook(BPRM_CHECK) \
		hook(CREDS_CHECK) \
		hook(POST_SETATTR) \
		hook(MODULE_CHECK) \
		hook(FIRMWARE_CHECK) \
		hook(KEXEC_KERNEL_CHECK) \
		hook(KEXEC_INITRAMFS_CHECK) \
		hook(POLICY_CHECK) \
		hook(KEXEC_CMDLINE) \
		hook(KEY_CHECK) \
		hook(MAX_CHECK)
		#define __ima_hook_enumify(ENUM) ENUM,
		hook(NONE, none) \
		hook(FILE_CHECK, file) \
		hook(MMAP_CHECK, mmap) \
		hook(BPRM_CHECK, bprm) \
		hook(CREDS_CHECK, creds) \
		hook(POST_SETATTR, post_setattr) \
		hook(MODULE_CHECK, module) \
		hook(FIRMWARE_CHECK, firmware) \
		hook(KEXEC_KERNEL_CHECK, kexec_kernel) \
		hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs) \
		hook(POLICY_CHECK, policy) \
		hook(KEXEC_CMDLINE, kexec_cmdline) \
		hook(KEY_CHECK, key) \
		hook(MAX_CHECK, none)

		#define __ima_hook_enumify(ENUM, str) ENUM,
		#define __ima_stringify(arg) (#arg)
		#define __ima_hook_measuring_stringify(ENUM, str) \
		(__ima_stringify(measuring_ ##str)),

		enum ima_hooks {
		__ima_hooks(__ima_hook_enumify)
		};

		static const char * const ima_hooks_measure_str[] = {
		__ima_hooks(__ima_hook_measuring_stringify)
		};

		static inline const char *func_measure_str(enum ima_hooks func)
		{
		if (func >= MAX_CHECK)
		return ima_hooks_measure_str[NONE];

		return ima_hooks_measure_str[func];
		}

		extern const char *const func_tokens[];

		struct modsig;

+13 −5

Original line number	Diff line number	Diff line
		@@ -740,6 +740,7 @@ void process_buffer_measurement(const void *buf, int size,
		int pcr, const char *keyring)
		{
		int ret = 0;
		const char *audit_cause = "ENOMEM";
		struct ima_template_entry *entry = NULL;
		struct integrity_iint_cache iint = {};
		struct ima_event_data event_data = {.iint = &iint,
		@@ -794,21 +795,28 @@ void process_buffer_measurement(const void *buf, int size,
		iint.ima_hash->length = hash_digest_size[ima_hash_algo];

		ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
		if (ret < 0)
		if (ret < 0) {
		audit_cause = "hashing_error";
		goto out;
		}

		ret = ima_alloc_init_template(&event_data, &entry, template);
		if (ret < 0)
		if (ret < 0) {
		audit_cause = "alloc_entry";
		goto out;
		}

		ret = ima_store_template(entry, violation, NULL, buf, pcr);

		if (ret < 0)
		if (ret < 0) {
		audit_cause = "store_entry";
		ima_free_template_entry(entry);
		}

		out:
		if (ret < 0)
		pr_devel("%s: failed, result: %d\n", __func__, ret);
		integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, eventname,
		func_measure_str(func),
		audit_cause, ret, 0, ret);

		return;
		}

+1 −1

Original line number	Diff line number	Diff line
		@@ -1414,7 +1414,7 @@ void ima_delete_rules(void)
		}
		}

		#define __ima_hook_stringify(str) (#str),
		#define __ima_hook_stringify(func, str) (#func),

		const char *const func_tokens[] = {
		__ima_hooks(__ima_hook_stringify)

+5 −0

Original line number	Diff line number	Diff line
		@@ -68,6 +68,7 @@ static struct ima_key_entry ima_alloc_key_entry(struct key keyring,
		size_t payload_len)
		{
		int rc = 0;
		const char *audit_cause = "ENOMEM";
		struct ima_key_entry *entry;

		entry = kzalloc(sizeof(*entry), GFP_KERNEL);
		@@ -88,6 +89,10 @@ static struct ima_key_entry ima_alloc_key_entry(struct key keyring,

		out:
		if (rc) {
		integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL,
		keyring->description,
		func_measure_str(KEY_CHECK),
		audit_cause, rc, 0, rc);
		ima_free_key_entry(entry);
		entry = NULL;
		}