Commit 3878d505 authored by Thiago Jung Bauermann's avatar Thiago Jung Bauermann Committed by Mimi Zohar
Browse files

ima: Define ima-modsig template 



Define new "d-modsig" template field which holds the digest that is
expected to match the one contained in the modsig, and also new "modsig"
template field which holds the appended file signature.

Add a new "ima-modsig" defined template descriptor with the new fields as
well as the ones from the "ima-sig" descriptor.

Change ima_store_measurement() to accept a struct modsig * argument so that
it can be passed along to the templates via struct ima_event_data.

Suggested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarThiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 15588227

Documentation/security/IMA-templates.rst

+3 −0
Original line number Diff line number Diff line
@@ -68,8 +68,10 @@ descriptors by adding their identifier to the format string 
 - 'd-ng': the digest of the event, calculated with an arbitrary hash

   algorithm (field format: [<hash algo>:]digest, where the digest

   prefix is shown only if the hash algorithm is not SHA1 or MD5);

 - 'd-modsig': the digest of the event without the appended modsig;

 - 'n-ng': the name of the event, without size limitations;

 - 'sig': the file signature;

 - 'modsig' the appended file signature;

 - 'buf': the buffer data that was used to generate the hash without size limitations;
@@ -79,6 +81,7 @@ Below, there is the list of defined template descriptors: 
 - "ima-ng" (default): its format is ``d-ng|n-ng``;

 - "ima-sig": its format is ``d-ng|n-ng|sig``;

 - "ima-buf": its format is ``d-ng|n-ng|buf``;

 - "ima-modsig": its format is ``d-ng|n-ng|sig|d-modsig|modsig``;





Use

security/integrity/ima/ima.h

+19 −1
Original line number Diff line number Diff line
@@ -60,6 +60,7 @@ struct ima_event_data { 
	const unsigned char *filename;

	struct evm_ima_xattr_data *xattr_value;

	int xattr_len;

	const struct modsig *modsig;

	const char *violation;

	const void *buf;

	int buf_len;
@@ -211,7 +212,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, 
void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,

			   const unsigned char *filename,

			   struct evm_ima_xattr_data *xattr_value,

			   int xattr_len, int pcr,

			   int xattr_len, const struct modsig *modsig, int pcr,

			   struct ima_template_desc *template_desc);

void ima_audit_measurement(struct integrity_iint_cache *iint,

			   const unsigned char *filename);
@@ -312,6 +313,10 @@ bool ima_hook_supports_modsig(enum ima_hooks func); 
int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,

		    struct modsig **modsig);

void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size);

int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,

			  const u8 **digest, u32 *digest_size);

int ima_get_raw_modsig(const struct modsig *modsig, const void **data,

		       u32 *data_len);

void ima_free_modsig(struct modsig *modsig);

#else

static inline bool ima_hook_supports_modsig(enum ima_hooks func)
@@ -330,6 +335,19 @@ static inline void ima_collect_modsig(struct modsig *modsig, const void *buf, 
{

}



static inline int ima_get_modsig_digest(const struct modsig *modsig,

					enum hash_algo *algo, const u8 **digest,

					u32 *digest_size)

{

	return -EOPNOTSUPP;

}



static inline int ima_get_raw_modsig(const struct modsig *modsig,

				     const void **data, u32 *data_len)

{

	return -EOPNOTSUPP;

}



static inline void ima_free_modsig(struct modsig *modsig)

{

}

security/integrity/ima/ima_api.c

+3 −2
Original line number Diff line number Diff line
@@ -288,7 +288,7 @@ out: 
void ima_store_measurement(struct integrity_iint_cache *iint,

			   struct file *file, const unsigned char *filename,

			   struct evm_ima_xattr_data *xattr_value,

			   int xattr_len, int pcr,

			   int xattr_len, const struct modsig *modsig, int pcr,

			   struct ima_template_desc *template_desc)

{

	static const char op[] = "add_template_measure";
@@ -300,7 +300,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, 
					     .file = file,

					     .filename = filename,

					     .xattr_value = xattr_value,

					     .xattr_len = xattr_len };

					     .xattr_len = xattr_len,

					     .modsig = modsig };

	int violation = 0;



	if (iint->measured_pcrs & (0x1 << pcr))

security/integrity/ima/ima_main.c

+1 −1
Original line number Diff line number Diff line
@@ -323,7 +323,7 @@ static int process_measurement(struct file *file, const struct cred *cred, 


	if (action & IMA_MEASURE)

		ima_store_measurement(iint, file, pathname,

				      xattr_value, xattr_len, pcr,

				      xattr_value, xattr_len, modsig, pcr,

				      template_desc);

	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {

		inode_lock(inode);

security/integrity/ima/ima_modsig.c

+19 −0
Original line number Diff line number Diff line
@@ -138,6 +138,25 @@ int ima_modsig_verify(struct key *keyring, const struct modsig *modsig) 
					VERIFYING_MODULE_SIGNATURE, NULL, NULL);

}



int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,

			  const u8 **digest, u32 *digest_size)

{

	*algo = modsig->hash_algo;

	*digest = modsig->digest;

	*digest_size = modsig->digest_size;



	return 0;

}



int ima_get_raw_modsig(const struct modsig *modsig, const void **data,

		       u32 *data_len)

{

	*data = &modsig->raw_pkcs7;

	*data_len = modsig->raw_pkcs7_len;



	return 0;

}



void ima_free_modsig(struct modsig *modsig)

{

	if (!modsig)

CRA Git | Maintained and supported by SUSTech CRA and CCSE