diff options
| author | Mimi Zohar <zohar@linux.ibm.com> | 2021-07-23 16:39:52 +0300 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2021-07-23 20:37:19 +0300 |
| commit | e37be5343ae2b9419aea1442b07e5d2428b437b4 (patch) | |
| tree | 46966a8fd69ed70c7223b0c044f5244fddaef4ce /include | |
| parent | a32ad90426a9c8eb3915eed26e08ce133bd9e0da (diff) | |
| parent | ca3c9bdb101d9b9eb3ed8a85cc0fe55915ba49de (diff) | |
| download | linux-e37be5343ae2b9419aea1442b07e5d2428b437b4.tar.xz | |
Merge branch 'ima-buffer-measurement-changes-v4' into next-integrity
Based on cover letter "ima: Provide more info about buffer measurement":
Providing more information about buffer measurements requires
modification of the existing functions ima_measure_critical_data()
and process_buffer_measurement(). Unlike for file measurements,
there is no integrity_iint_cache structure for storing and retrieving
buffer measurements.
With these changes, kernel subsystems relying on IMA to measure
critical data don't have to duplicate the function to calculate the
buffer digest but, instead, can get directly the one that IMA would
insert, depending on the policy, in the new measurement list entry.
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/ima.h | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h index 61d5723ec303..b6ab66a546ae 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -11,9 +11,11 @@ #include <linux/fs.h> #include <linux/security.h> #include <linux/kexec.h> +#include <crypto/hash_info.h> struct linux_binprm; #ifdef CONFIG_IMA +extern enum hash_algo ima_get_current_hash_algo(void); extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, @@ -33,10 +35,10 @@ extern void ima_post_path_mknod(struct user_namespace *mnt_userns, extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); -extern void ima_measure_critical_data(const char *event_label, - const char *event_name, - const void *buf, size_t buf_len, - bool hash); +extern int ima_measure_critical_data(const char *event_label, + const char *event_name, + const void *buf, size_t buf_len, + bool hash, u8 *digest, size_t digest_len); #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM extern void ima_appraise_parse_cmdline(void); @@ -64,6 +66,11 @@ static inline const char * const *arch_get_ima_policy(void) #endif #else +static inline enum hash_algo ima_get_current_hash_algo(void) +{ + return HASH_ALGO__LAST; +} + static inline int ima_bprm_check(struct linux_binprm *bprm) { return 0; @@ -137,10 +144,14 @@ static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {} -static inline void ima_measure_critical_data(const char *event_label, +static inline int ima_measure_critical_data(const char *event_label, const char *event_name, const void *buf, size_t buf_len, - bool hash) {} + bool hash, u8 *digest, + size_t digest_len) +{ + return -ENOENT; +} #endif /* CONFIG_IMA */ |