From: Roberto Sassu <roberto.sassu@huawei.com> To: <zohar@linux.ibm.com>, <dmitry.kasatkin@huawei.com>, <mjg59@google.com> Cc: <linux-integrity@vger.kernel.org>, <linux-security-module@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>, <linux-doc@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>, Roberto Sassu <roberto.sassu@huawei.com> Subject: [PATCH v4 09/14] ima: introduce new securityfs files Date: Fri, 14 Jun 2019 19:55:08 +0200 Message-ID: <20190614175513.27097-10-roberto.sassu@huawei.com> (raw) In-Reply-To: <20190614175513.27097-1-roberto.sassu@huawei.com> This patch introduces two new files in the securityfs filesystem: digest_list_data, loads a digest list from the specified path, if it is in the compact format, or loads a digest list converted by the user space parser; digests_count: shows the number of digests stored in the ima_digests_htable hash table. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- include/linux/fs.h | 1 + security/integrity/ima/ima_fs.c | 44 ++++++++++++++++++++++++++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index f7fdfe93e25d..0591a3c3cc2f 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2921,6 +2921,7 @@ extern int do_pipe_flags(int *, int); id(KEXEC_INITRAMFS, kexec-initramfs) \ id(POLICY, security-policy) \ id(X509_CERTIFICATE, x509-certificate) \ + id(DIGEST_LIST, digest-list) \ id(MAX_ID, ) #define __fid_enumify(ENUM, dummy) READING_ ## ENUM, diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0f503b7cd396..b02b9a447d56 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -24,6 +24,7 @@ #include <linux/vmalloc.h> #include "ima.h" +#include "ima_digest_list.h" static DEFINE_MUTEX(ima_write_mutex); @@ -34,6 +35,8 @@ static struct dentry *ascii_runtime_measurements; static struct dentry *runtime_measurements_count; static struct dentry *violations; static struct dentry *ima_policy; +static struct dentry *digests_count; +static struct dentry *digest_list_data; bool ima_canonical_fmt; static int __init default_canonical_fmt_setup(char *str) @@ -58,6 +61,10 @@ static ssize_t ima_show_htable_value(struct file *filp, char __user *buf, val = &ima_htable.violations; else if (filp->f_path.dentry == runtime_measurements_count) val = &ima_htable.len; +#ifdef CONFIG_IMA_DIGEST_LIST + else if (filp->f_path.dentry == digests_count) + val = &ima_digests_htable.len; +#endif len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val)); return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); @@ -296,6 +303,9 @@ static ssize_t ima_read_file(char *path, enum kernel_read_file_id file_id) pr_debug("rule: %s\n", p); rc = ima_parse_add_rule(p); break; + case READING_DIGEST_LIST: + rc = ima_parse_compact_list(size, data); + break; default: break; } @@ -319,6 +329,10 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, char *data; ssize_t result; struct dentry *dentry = file_dentry(file); + enum kernel_read_file_id id = READING_POLICY; + + if (dentry == digest_list_data) + id = READING_DIGEST_LIST; /* No partial writes. */ result = -EINVAL; @@ -345,7 +359,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, goto out_free; if (data[0] == '/') { - result = ima_read_file(data, READING_POLICY); + result = ima_read_file(data, id); } else if (dentry == ima_policy) { if (ima_appraise & IMA_APPRAISE_POLICY) { pr_err("signed policy file (specified as an absolute pathname) required\n"); @@ -357,6 +371,11 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, } else { result = ima_parse_add_rule(data); } + } else if (dentry == digest_list_data) { + if (ima_check_current_is_parser()) + result = ima_parse_compact_list(datalen, data); + else + result = -EACCES; } else { pr_err("Unknown data type\n"); result = -EINVAL; @@ -373,6 +392,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, enum ima_fs_flags { IMA_POLICY_BUSY, + IMA_DIGEST_LIST_DATA_BUSY, IMA_FS_BUSY, }; @@ -382,6 +402,8 @@ static enum ima_fs_flags ima_get_dentry_flag(struct dentry *dentry) if (dentry == ima_policy) flag = IMA_POLICY_BUSY; + else if (dentry == digest_list_data) + flag = IMA_DIGEST_LIST_DATA_BUSY; return flag; } @@ -412,6 +434,8 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp) read_allowed = true; seq_ops = &ima_policy_seqops; #endif + } else if (dentry == digest_list_data) { + ima_set_parser(current); } if (!(filp->f_flags & O_WRONLY)) { @@ -444,6 +468,9 @@ static int ima_release_data_upload(struct inode *inode, struct file *file) if ((file->f_flags & O_ACCMODE) == O_RDONLY) return seq_release(inode, file); + if (dentry == digest_list_data) + ima_set_parser(NULL); + if (dentry != ima_policy) { clear_bit(flag, &ima_fs_flags); return 0; @@ -529,8 +556,23 @@ int __init ima_fs_init(void) if (IS_ERR(ima_policy)) goto out; +#ifdef CONFIG_IMA_DIGEST_LIST + digests_count = securityfs_create_file("digests_count", + S_IRUSR | S_IRGRP, ima_dir, + NULL, &ima_htable_value_ops); + if (IS_ERR(digests_count)) + goto out; + + digest_list_data = securityfs_create_file("digest_list_data", S_IWUSR, + ima_dir, NULL, + &ima_data_upload_ops); + if (IS_ERR(digest_list_data)) + goto out; +#endif return 0; out: + securityfs_remove(digest_list_data); + securityfs_remove(digests_count); securityfs_remove(violations); securityfs_remove(runtime_measurements_count); securityfs_remove(ascii_runtime_measurements); -- 2.17.1
next prev parent reply index Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-06-14 17:54 [PATCH v4 00/14] ima: introduce IMA Digest Lists extension Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 01/14] ima: read hash algorithm from security.ima even if appraisal is not enabled Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 02/14] ima: generalize ima_read_policy() Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 03/14] ima: generalize ima_write_policy() and raise uploaded data size limit Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 04/14] ima: generalize policy file operations Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 05/14] ima: use ima_show_htable_value to show violations and hash table data Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 06/14] ima: add parser of compact digest list Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 07/14] ima: restrict upload of converted digest lists Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 08/14] ima: prevent usage of digest lists that are not measured/appraised Roberto Sassu 2019-06-14 17:55 ` Roberto Sassu [this message] 2019-06-14 17:55 ` [PATCH v4 10/14] ima: load parser digests and execute the parser at boot time Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 11/14] ima: add support for measurement with digest lists Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 12/14] ima: add support for appraisal " Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 13/14] ima: introduce new policies initrd and appraise_initrd Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 14/14] ima: add Documentation/security/IMA-digest-lists.txt Roberto Sassu 2019-06-17 6:56 ` [PATCH v4 00/14] ima: introduce IMA Digest Lists extension Roberto Sassu 2019-06-25 12:57 ` Roberto Sassu 2019-06-25 17:35 ` Mimi Zohar 2019-06-26 11:38 ` Roberto Sassu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190614175513.27097-10-roberto.sassu@huawei.com \ --to=roberto.sassu@huawei.com \ --cc=dmitry.kasatkin@huawei.com \ --cc=linux-doc@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mjg59@google.com \ --cc=silviu.vlasceanu@huawei.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Integrity Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \ linux-integrity@vger.kernel.org public-inbox-index linux-integrity Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity AGPL code for this site: git clone https://public-inbox.org/public-inbox.git