From: Mimi Zohar Date: Tue, 10 Jan 2012 03:59:36 +0000 (-0500) Subject: ima: add support for different security.ima data types X-Git-Tag: v3.8~302^2~17^2~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5a44b41207174e1882ce0c24a752f4cfb65dab07;p=platform%2Fkernel%2Flinux-amlogic.git ima: add support for different security.ima data types IMA-appraisal currently verifies the integrity of a file based on a known 'good' measurement value. This patch reserves the first byte of 'security.ima' as a place holder for the type of method used for verifying file data integrity. Changelog v1: - Use the newly defined 'struct evm_ima_xattr_data' Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 41cce84..33d4685 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -147,8 +147,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, if (!(iint->flags & IMA_COLLECTED)) { u64 i_version = file->f_dentry->d_inode->i_version; - memset(iint->digest, 0, IMA_DIGEST_SIZE); - result = ima_calc_hash(file, iint->digest); + iint->ima_xattr.type = IMA_XATTR_DIGEST; + result = ima_calc_hash(file, iint->ima_xattr.digest); if (!result) { iint->version = i_version; iint->flags |= IMA_COLLECTED; @@ -196,7 +196,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, return; } memset(&entry->template, 0, sizeof(entry->template)); - memcpy(entry->template.digest, iint->digest, IMA_DIGEST_SIZE); + memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE); strcpy(entry->template.file_name, (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ? file->f_dentry->d_name.name : filename); diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index becc7e0..f997997 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -45,9 +45,9 @@ int ima_must_appraise(struct inode *inode, enum ima_hooks func, int mask) static void ima_fix_xattr(struct dentry *dentry, struct integrity_iint_cache *iint) { - iint->digest[0] = IMA_XATTR_DIGEST; - __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, - iint->digest, IMA_DIGEST_SIZE + 1, 0); + iint->ima_xattr.type = IMA_XATTR_DIGEST; + __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr, + sizeof iint->ima_xattr, 0); } /* @@ -63,7 +63,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, { struct dentry *dentry = file->f_dentry; struct inode *inode = dentry->d_inode; - u8 xattr_value[IMA_DIGEST_SIZE]; + struct evm_ima_xattr_data xattr_value; enum integrity_status status = INTEGRITY_UNKNOWN; const char *op = "appraise_data"; char *cause = "unknown"; @@ -77,8 +77,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, if (iint->flags & IMA_APPRAISED) return iint->ima_status; - rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, xattr_value, - IMA_DIGEST_SIZE); + rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value, + sizeof xattr_value); if (rc <= 0) { if (rc && rc != -ENODATA) goto out; @@ -89,7 +89,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, goto out; } - status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value, + rc, iint); if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { if ((status == INTEGRITY_NOLABEL) || (status == INTEGRITY_NOXATTRS)) @@ -99,14 +100,16 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, goto out; } - rc = memcmp(xattr_value, iint->digest, IMA_DIGEST_SIZE); + rc = memcmp(xattr_value.digest, iint->ima_xattr.digest, + IMA_DIGEST_SIZE); if (rc) { status = INTEGRITY_FAIL; cause = "invalid-hash"; print_hex_dump_bytes("security.ima: ", DUMP_PREFIX_NONE, - xattr_value, IMA_DIGEST_SIZE); + &xattr_value, sizeof xattr_value); print_hex_dump_bytes("collected: ", DUMP_PREFIX_NONE, - iint->digest, IMA_DIGEST_SIZE); + (u8 *)&iint->ima_xattr, + sizeof iint->ima_xattr); goto out; } status = INTEGRITY_PASS; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index dac6b68..91ccef1 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -39,7 +39,7 @@ struct integrity_iint_cache { struct inode *inode; /* back pointer to inode in question */ u64 version; /* track inode changes */ unsigned char flags; - u8 digest[SHA1_DIGEST_SIZE]; + struct evm_ima_xattr_data ima_xattr; enum integrity_status ima_status; enum integrity_status evm_status; };