summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEric Richter <erichte@linux.vnet.ibm.com>2016-06-01 21:14:05 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2016-06-30 08:14:21 +0300
commit67696f6d79923cdc0084b73b4bbe52e6749a43a4 (patch)
tree63a973617eb61e72310fa8b9e8eef01655ff4ca2
parent5f6f027b50d8ed9f1ba4447aa5aed3a94b601fe8 (diff)
downloadlinux-67696f6d79923cdc0084b73b4bbe52e6749a43a4.tar.xz
ima: redefine duplicate template entries
Template entry duplicates are prevented from being added to the measurement list by checking a hash table that contains the template entry digests. However, the PCR value is not included in this comparison, so duplicate template entry digests with differing PCRs may be dropped. This patch redefines duplicate template entries as template entries with the same digest and same PCR values. Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r--security/integrity/ima/ima_queue.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index 552705d5a78d..04a9ac13e85e 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -44,7 +44,8 @@ struct ima_h_table ima_htable = {
static DEFINE_MUTEX(ima_extend_list_mutex);
/* lookup up the digest value in the hash table, and return the entry */
-static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
+static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value,
+ int pcr)
{
struct ima_queue_entry *qe, *ret = NULL;
unsigned int key;
@@ -54,7 +55,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
rcu_read_lock();
hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
- if (rc == 0) {
+ if ((rc == 0) && (qe->entry->pcr == pcr)) {
ret = qe;
break;
}
@@ -118,7 +119,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
mutex_lock(&ima_extend_list_mutex);
if (!violation) {
memcpy(digest, entry->digest, sizeof(digest));
- if (ima_lookup_digest_entry(digest)) {
+ if (ima_lookup_digest_entry(digest, entry->pcr)) {
audit_cause = "hash_exists";
result = -EEXIST;
goto out;