From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> To: zohar@linux.ibm.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 06/10] IMA: Measure key if the IMA policy allows measurement for the keyring to which the key is linked to Date: Wed, 6 Nov 2019 11:01:12 -0800 Message-ID: <20191106190116.2578-7-nramas@linux.microsoft.com> (raw) In-Reply-To: <20191106190116.2578-1-nramas@linux.microsoft.com> process_buffer_measurement() needs to check if the keyring to which the given key is linked to is listed in the keyrings option in the IMA policy. This patch adds a new parameter "keyring" to process_buffer_measurement(). If process_buffer_measurement() is called with func KEYRING_CHECK and the name of the keyring to which the key is linked to, then the given key is measured if: 1, IMA policy did not specify "keyrings=" option. 2, Or, the given keyring name is listed in the "keyrings=" option. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> --- security/integrity/ima/ima.h | 2 +- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_main.c | 26 ++++++++++++++++++++++++-- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 387829afb9a2..f15199f7ff2a 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -221,7 +221,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, struct ima_template_desc *template_desc); void process_buffer_measurement(const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr); + int pcr, const char *keyring); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); int ima_alloc_init_template(struct ima_event_data *event_data, diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 47ad4f56c0a8..a9649b04b9f1 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -330,7 +330,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint, if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) process_buffer_measurement(digest, digestsize, "blacklisted-hash", NONE, - pcr); + pcr, NULL); } return rc; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b6d17f37ba61..56540357c854 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -632,12 +632,22 @@ int ima_load_data(enum kernel_load_data_id id) * @eventname: event name to be used for the buffer entry. * @func: IMA hook * @pcr: pcr to extend the measurement + * @keyring: keyring for the measurement + * + * The following scenarios are possible with respect to + * the parameter "keyring": + * 1, keyring is NULL. In this case buffer is measured. + * 2, keyring is not NULL, but ima_get_action returned + * a NULL keyrings. In this case also the buffer is measured. + * 3, keyring is not NULL and ima_get_action returned + * a non-NULL keyrings. In this case measure the buffer + * only if the given keyring is present in the keyrings. * * Based on policy, the buffer is measured into the ima log. */ void process_buffer_measurement(const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr) + int pcr, const char *keyring) { int ret = 0; struct ima_template_entry *entry = NULL; @@ -656,6 +666,13 @@ void process_buffer_measurement(const void *buf, int size, int action = 0; u32 secid; + /* + * If IMA is not yet initialized or IMA policy is empty + * then there is no need to measure. + */ + if (!ima_policy_flag) + return; + /* * Both LSM hooks and auxilary based buffer measurements are * based on policy. To avoid code duplication, differentiate @@ -671,6 +688,11 @@ void process_buffer_measurement(const void *buf, int size, return; } + if ((keyring != NULL) && (keyrings != NULL) + && (strstr(keyrings, keyring) == NULL)) { + return; + } + if (!pcr) pcr = CONFIG_IMA_MEASURE_PCR_IDX; @@ -719,7 +741,7 @@ void ima_kexec_cmdline(const void *buf, int size) { if (buf && size != 0) process_buffer_measurement(buf, size, "kexec-cmdline", - KEXEC_CMDLINE, 0); + KEXEC_CMDLINE, 0, NULL); } /** -- 2.17.1
next prev parent reply index Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-06 19:01 [PATCH v4 0/10] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 01/10] IMA: Defined an IMA hook to measure keys on key create or update Lakshmi Ramasubramanian 2019-11-06 22:43 ` Mimi Zohar 2019-11-07 0:21 ` Lakshmi Ramasubramanian 2019-11-07 3:40 ` Mimi Zohar 2019-11-07 18:42 ` Lakshmi Ramasubramanian 2019-11-07 20:53 ` Mimi Zohar 2019-11-07 21:12 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 02/10] IMA: Added KEYRING_CHECK func in IMA policy to measure keys Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 03/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 04/10] IMA: Read keyrings= option from the IMA policy into ima_rule_entry Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 05/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian [this message] 2019-11-06 19:01 ` [PATCH v4 07/10] IMA: Added a boolean flag to track IMA initialization status Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 08/10] IMA: Defined functions to queue and dequeue keys for measurement Lakshmi Ramasubramanian 2019-11-06 22:44 ` Mimi Zohar 2019-11-06 23:52 ` Lakshmi Ramasubramanian 2019-11-07 2:20 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 09/10] IMA: Call queue and dequeue functions to measure keys Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 10/10] KEYS: Call the IMA hook to measure key when a new key is created or an existing key is updated Lakshmi Ramasubramanian
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20191106190116.2578-7-nramas@linux.microsoft.com \ --to=nramas@linux.microsoft.com \ --cc=dhowells@redhat.com \ --cc=jamorris@linux.microsoft.com \ --cc=keyrings@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=matthewgarrett@google.com \ --cc=sashal@kernel.org \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Integrity Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \ linux-integrity@vger.kernel.org public-inbox-index linux-integrity Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity AGPL code for this site: git clone https://public-inbox.org/public-inbox.git