summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2012-01-10 07:59:36 +0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2012-09-07 22:57:47 +0400
commit5a44b41207174e1882ce0c24a752f4cfb65dab07 (patch)
treea5426be63a4f165f3ce15d1e61d8fd10f37fd8c3
parent42c63330f2b05aa6077c1bfc2798c04afe54f6b2 (diff)
downloadlinux-5a44b41207174e1882ce0c24a752f4cfb65dab07.tar.xz
ima: add support for different security.ima data types
IMA-appraisal currently verifies the integrity of a file based on a known 'good' measurement value. This patch reserves the first byte of 'security.ima' as a place holder for the type of method used for verifying file data integrity. Changelog v1: - Use the newly defined 'struct evm_ima_xattr_data' Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r--security/integrity/ima/ima_api.c6
-rw-r--r--security/integrity/ima/ima_appraise.c23
-rw-r--r--security/integrity/integrity.h2
3 files changed, 17 insertions, 14 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 41cce84416c5..33d46859753a 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -147,8 +147,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
if (!(iint->flags & IMA_COLLECTED)) {
u64 i_version = file->f_dentry->d_inode->i_version;
- memset(iint->digest, 0, IMA_DIGEST_SIZE);
- result = ima_calc_hash(file, iint->digest);
+ iint->ima_xattr.type = IMA_XATTR_DIGEST;
+ result = ima_calc_hash(file, iint->ima_xattr.digest);
if (!result) {
iint->version = i_version;
iint->flags |= IMA_COLLECTED;
@@ -196,7 +196,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
return;
}
memset(&entry->template, 0, sizeof(entry->template));
- memcpy(entry->template.digest, iint->digest, IMA_DIGEST_SIZE);
+ memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
strcpy(entry->template.file_name,
(strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
file->f_dentry->d_name.name : filename);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index becc7e09116d..f9979976aa5d 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -45,9 +45,9 @@ int ima_must_appraise(struct inode *inode, enum ima_hooks func, int mask)
static void ima_fix_xattr(struct dentry *dentry,
struct integrity_iint_cache *iint)
{
- iint->digest[0] = IMA_XATTR_DIGEST;
- __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
- iint->digest, IMA_DIGEST_SIZE + 1, 0);
+ iint->ima_xattr.type = IMA_XATTR_DIGEST;
+ __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr,
+ sizeof iint->ima_xattr, 0);
}
/*
@@ -63,7 +63,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
{
struct dentry *dentry = file->f_dentry;
struct inode *inode = dentry->d_inode;
- u8 xattr_value[IMA_DIGEST_SIZE];
+ struct evm_ima_xattr_data xattr_value;
enum integrity_status status = INTEGRITY_UNKNOWN;
const char *op = "appraise_data";
char *cause = "unknown";
@@ -77,8 +77,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
if (iint->flags & IMA_APPRAISED)
return iint->ima_status;
- rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, xattr_value,
- IMA_DIGEST_SIZE);
+ rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value,
+ sizeof xattr_value);
if (rc <= 0) {
if (rc && rc != -ENODATA)
goto out;
@@ -89,7 +89,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
goto out;
}
- status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
+ status = evm_verifyxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value,
+ rc, iint);
if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
if ((status == INTEGRITY_NOLABEL)
|| (status == INTEGRITY_NOXATTRS))
@@ -99,14 +100,16 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
goto out;
}
- rc = memcmp(xattr_value, iint->digest, IMA_DIGEST_SIZE);
+ rc = memcmp(xattr_value.digest, iint->ima_xattr.digest,
+ IMA_DIGEST_SIZE);
if (rc) {
status = INTEGRITY_FAIL;
cause = "invalid-hash";
print_hex_dump_bytes("security.ima: ", DUMP_PREFIX_NONE,
- xattr_value, IMA_DIGEST_SIZE);
+ &xattr_value, sizeof xattr_value);
print_hex_dump_bytes("collected: ", DUMP_PREFIX_NONE,
- iint->digest, IMA_DIGEST_SIZE);
+ (u8 *)&iint->ima_xattr,
+ sizeof iint->ima_xattr);
goto out;
}
status = INTEGRITY_PASS;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index dac6b68e945a..91ccef1c704b 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -39,7 +39,7 @@ struct integrity_iint_cache {
struct inode *inode; /* back pointer to inode in question */
u64 version; /* track inode changes */
unsigned char flags;
- u8 digest[SHA1_DIGEST_SIZE];
+ struct evm_ima_xattr_data ima_xattr;
enum integrity_status ima_status;
enum integrity_status evm_status;
};