From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module <linux-security-module@vger.kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
linux-ima-devel@lists.sourceforge.net,
Dave Young <dyoung@redhat.com>,
kexec@lists.infradead.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org,
Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH v3 7/9] ima: support restoring multiple template formats
Date: Tue, 6 Sep 2016 10:03:02 -0400 [thread overview]
Message-ID: <1473170584-15094-8-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1473170584-15094-1-git-send-email-zohar@linux.vnet.ibm.com>
The configured IMA measurement list template format can be replaced at
runtime on the boot command line, including a custom template format.
This patch adds support for restoring a measuremement list containing
multiple builtin/custom template formats.
Changelog v3:
- initialize template format list in ima_template_desc_current(), as it
might be called during __setup before normal initialization. (kernel
test robot)
- remove __init annotation of ima_init_template_list()
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
security/integrity/ima/ima_template.c | 64 ++++++++++++++++++++++++++++++++---
1 file changed, 59 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index e1f9ce7..e689b572f 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -57,6 +57,8 @@ static int __init ima_template_setup(char *str)
if (ima_template)
return 1;
+ ima_init_template_list();
+
/*
* Verify that a template with the supplied name exists.
* If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
@@ -153,9 +155,14 @@ static int template_desc_init_fields(const char *template_fmt,
{
const char *template_fmt_ptr;
struct ima_template_field *found_fields[IMA_TEMPLATE_NUM_FIELDS_MAX];
- int template_num_fields = template_fmt_size(template_fmt);
+ int template_num_fields;
int i, len;
+ if (num_fields && *num_fields > 0) /* already initialized? */
+ return 0;
+
+ template_num_fields = template_fmt_size(template_fmt);
+
if (template_num_fields > IMA_TEMPLATE_NUM_FIELDS_MAX) {
pr_err("format string '%s' contains too many fields\n",
template_fmt);
@@ -193,10 +200,13 @@ static int template_desc_init_fields(const char *template_fmt,
return 0;
}
-void __init ima_init_template_list(void)
+void ima_init_template_list(void)
{
int i;
+ if (!list_empty(&defined_templates))
+ return;
+
spin_lock(&template_list);
for (i = 0; i < ARRAY_SIZE(builtin_templates); i++) {
list_add_tail_rcu(&builtin_templates[i].list,
@@ -208,9 +218,11 @@ void __init ima_init_template_list(void)
struct ima_template_desc *ima_template_desc_current(void)
{
- if (!ima_template)
+ if (!ima_template) {
+ ima_init_template_list();
ima_template =
lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
+ }
return ima_template;
}
@@ -230,6 +242,35 @@ int __init ima_init_template(void)
return result;
}
+static struct ima_template_desc *restore_template_fmt(char *template_name)
+{
+ struct ima_template_desc *template_desc = NULL;
+ int ret;
+
+ ret = template_desc_init_fields(template_name, NULL, NULL);
+ if (ret < 0) {
+ pr_err("attempting to initialize the template \"%s\" failed\n",
+ template_name);
+ goto out;
+ }
+
+ template_desc = kzalloc(sizeof(*template_desc), GFP_KERNEL);
+ if (!template_desc)
+ goto out;
+
+ template_desc->name = "";
+ template_desc->fmt = kstrdup(template_name, GFP_KERNEL);
+ if (!template_desc->fmt)
+ goto out;
+
+ spin_lock(&template_list);
+ list_add_tail_rcu(&template_desc->list, &defined_templates);
+ spin_unlock(&template_list);
+ synchronize_rcu();
+out:
+ return template_desc;
+}
+
static int ima_restore_template_data(struct ima_template_desc *template_desc,
void *template_data,
int template_data_size,
@@ -360,10 +401,23 @@ int ima_restore_measurement_list(loff_t size, void *buf)
}
data_v1 = bufp += (u_int8_t)hdr_v1->template_name_len;
- /* get template format */
template_desc = lookup_template_desc(template_name);
if (!template_desc) {
- pr_err("template \"%s\" not found\n", template_name);
+ template_desc = restore_template_fmt(template_name);
+ if (!template_desc)
+ break;
+ }
+
+ /*
+ * Only the running system's template format is initialized
+ * on boot. As needed, initialize the other template formats.
+ */
+ ret = template_desc_init_fields(template_desc->fmt,
+ &(template_desc->fields),
+ &(template_desc->num_fields));
+ if (ret < 0) {
+ pr_err("attempting to restore the template fmt \"%s\" \
+ failed\n", template_desc->fmt);
ret = -EINVAL;
break;
}
--
2.1.0
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module <linux-security-module@vger.kernel.org>
Cc: linuxppc-dev@lists.ozlabs.org, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org,
Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
linux-ima-devel@lists.sourceforge.net,
Andrew Morton <akpm@linux-foundation.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dave Young <dyoung@redhat.com>
Subject: [PATCH v3 7/9] ima: support restoring multiple template formats
Date: Tue, 6 Sep 2016 10:03:02 -0400 [thread overview]
Message-ID: <1473170584-15094-8-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1473170584-15094-1-git-send-email-zohar@linux.vnet.ibm.com>
The configured IMA measurement list template format can be replaced at
runtime on the boot command line, including a custom template format.
This patch adds support for restoring a measuremement list containing
multiple builtin/custom template formats.
Changelog v3:
- initialize template format list in ima_template_desc_current(), as it
might be called during __setup before normal initialization. (kernel
test robot)
- remove __init annotation of ima_init_template_list()
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
security/integrity/ima/ima_template.c | 64 ++++++++++++++++++++++++++++++++---
1 file changed, 59 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index e1f9ce7..e689b572f 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -57,6 +57,8 @@ static int __init ima_template_setup(char *str)
if (ima_template)
return 1;
+ ima_init_template_list();
+
/*
* Verify that a template with the supplied name exists.
* If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
@@ -153,9 +155,14 @@ static int template_desc_init_fields(const char *template_fmt,
{
const char *template_fmt_ptr;
struct ima_template_field *found_fields[IMA_TEMPLATE_NUM_FIELDS_MAX];
- int template_num_fields = template_fmt_size(template_fmt);
+ int template_num_fields;
int i, len;
+ if (num_fields && *num_fields > 0) /* already initialized? */
+ return 0;
+
+ template_num_fields = template_fmt_size(template_fmt);
+
if (template_num_fields > IMA_TEMPLATE_NUM_FIELDS_MAX) {
pr_err("format string '%s' contains too many fields\n",
template_fmt);
@@ -193,10 +200,13 @@ static int template_desc_init_fields(const char *template_fmt,
return 0;
}
-void __init ima_init_template_list(void)
+void ima_init_template_list(void)
{
int i;
+ if (!list_empty(&defined_templates))
+ return;
+
spin_lock(&template_list);
for (i = 0; i < ARRAY_SIZE(builtin_templates); i++) {
list_add_tail_rcu(&builtin_templates[i].list,
@@ -208,9 +218,11 @@ void __init ima_init_template_list(void)
struct ima_template_desc *ima_template_desc_current(void)
{
- if (!ima_template)
+ if (!ima_template) {
+ ima_init_template_list();
ima_template =
lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
+ }
return ima_template;
}
@@ -230,6 +242,35 @@ int __init ima_init_template(void)
return result;
}
+static struct ima_template_desc *restore_template_fmt(char *template_name)
+{
+ struct ima_template_desc *template_desc = NULL;
+ int ret;
+
+ ret = template_desc_init_fields(template_name, NULL, NULL);
+ if (ret < 0) {
+ pr_err("attempting to initialize the template \"%s\" failed\n",
+ template_name);
+ goto out;
+ }
+
+ template_desc = kzalloc(sizeof(*template_desc), GFP_KERNEL);
+ if (!template_desc)
+ goto out;
+
+ template_desc->name = "";
+ template_desc->fmt = kstrdup(template_name, GFP_KERNEL);
+ if (!template_desc->fmt)
+ goto out;
+
+ spin_lock(&template_list);
+ list_add_tail_rcu(&template_desc->list, &defined_templates);
+ spin_unlock(&template_list);
+ synchronize_rcu();
+out:
+ return template_desc;
+}
+
static int ima_restore_template_data(struct ima_template_desc *template_desc,
void *template_data,
int template_data_size,
@@ -360,10 +401,23 @@ int ima_restore_measurement_list(loff_t size, void *buf)
}
data_v1 = bufp += (u_int8_t)hdr_v1->template_name_len;
- /* get template format */
template_desc = lookup_template_desc(template_name);
if (!template_desc) {
- pr_err("template \"%s\" not found\n", template_name);
+ template_desc = restore_template_fmt(template_name);
+ if (!template_desc)
+ break;
+ }
+
+ /*
+ * Only the running system's template format is initialized
+ * on boot. As needed, initialize the other template formats.
+ */
+ ret = template_desc_init_fields(template_desc->fmt,
+ &(template_desc->fields),
+ &(template_desc->num_fields));
+ if (ret < 0) {
+ pr_err("attempting to restore the template fmt \"%s\" \
+ failed\n", template_desc->fmt);
ret = -EINVAL;
break;
}
--
2.1.0
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2016-09-06 14:03 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-06 14:02 [PATCH v3 0/9] ima: carry the measurement list across kexec Mimi Zohar
2016-09-06 14:02 ` Mimi Zohar
2016-09-06 14:02 ` [PATCH v3 1/9] ima: on soft reboot, restore the measurement list Mimi Zohar
2016-09-06 14:02 ` Mimi Zohar
2016-09-06 14:02 ` [PATCH v3 2/9] ima: permit duplicate measurement list entries Mimi Zohar
2016-09-06 14:02 ` Mimi Zohar
2016-09-06 14:02 ` [PATCH v3 3/9] ima: maintain memory size needed for serializing the measurement list Mimi Zohar
2016-09-06 14:02 ` Mimi Zohar
2016-09-06 14:02 ` [PATCH v3 4/9] ima: serialize the binary_runtime_measurements Mimi Zohar
2016-09-06 14:02 ` Mimi Zohar
2016-09-06 14:03 ` [PATCH v3 5/9] ima: on soft reboot, save the measurement list Mimi Zohar
2016-09-06 14:03 ` Mimi Zohar
2016-09-06 14:03 ` [PATCH v3 6/9] ima: store the builtin/custom template definitions in a list Mimi Zohar
2016-09-06 14:03 ` Mimi Zohar
2016-09-06 14:03 ` Mimi Zohar [this message]
2016-09-06 14:03 ` [PATCH v3 7/9] ima: support restoring multiple template formats Mimi Zohar
2016-09-06 14:03 ` [PATCH v3 8/9] ima: define a canonical binary_runtime_measurements list format Mimi Zohar
2016-09-06 14:03 ` Mimi Zohar
2016-09-06 14:03 ` [PATCH v3 9/9] ima: platform-independent hash value Mimi Zohar
2016-09-06 14:03 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1473170584-15094-8-git-send-email-zohar@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=bauerman@linux.vnet.ibm.com \
--cc=dyoung@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.