Re: [PATCH 3/3] ima: Add digest parameter to the functions to measure a buffer

From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
	zohar@linux.ibm.com, paul@paul-moore.com
Cc: stephen.smalley.work@gmail.com, prsriva02@gmail.com,
	tusharsu@linux.microsoft.com, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH 3/3] ima: Add digest parameter to the functions to measure a buffer
Date: Wed, 30 Jun 2021 07:56:24 -0700	[thread overview]
Message-ID: <e34639b4-145a-05a0-5ab4-ea51f9093e90@linux.microsoft.com> (raw)
In-Reply-To: <20210630141635.2862222-4-roberto.sassu@huawei.com>

On 6/30/2021 7:16 AM, Roberto Sassu wrote:

Hi Roberto,

> This patch adds the 'digest' parameter to ima_measure_critical_data() and
> process_buffer_measurement(), so that callers can get the digest of the
> passed buffer.
> 
> These functions calculate the digest even if there is no suitable rule in
> the IMA policy and, in this case, they simply return 1 before generating a
> new measurement entry.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   include/linux/ima.h                          |  4 +--
>   security/integrity/ima/ima.h                 |  2 +-
>   security/integrity/ima/ima_appraise.c        |  2 +-
>   security/integrity/ima/ima_asymmetric_keys.c |  2 +-
>   security/integrity/ima/ima_init.c            |  2 +-
>   security/integrity/ima/ima_main.c            | 31 +++++++++++++-------
>   security/integrity/ima/ima_queue_keys.c      |  2 +-
>   security/selinux/ima.c                       |  4 +--
>   8 files changed, 30 insertions(+), 19 deletions(-)
> 

>   
> +	if (digest)
> +		memcpy(digest, iint.ima_hash->digest,
> +		       hash_digest_size[ima_hash_algo]);

I think the caller should also pass the size of the buffer allocated to 
receive the calculated digest. And, here copy only up to that many bytes 
so we don't accidentally cause buffer overrun.

  -lakshmi

> +
> +	if (!ima_policy_flag || (func && !(action & IMA_MEASURE)))
> +		return 1;
> +
>   	ret = ima_alloc_init_template(&event_data, &entry, template);
>   	if (ret < 0) {
>   		audit_cause = "alloc_entry";
> @@ -966,7 +975,7 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
>   	ret = process_buffer_measurement(file_mnt_user_ns(f.file),
>   					 file_inode(f.file), buf, size,
>   					 "kexec-cmdline", KEXEC_CMDLINE, 0,
> -					 NULL, false);
> +					 NULL, false, NULL);
>   	fdput(f);
>   }
>   
> @@ -977,26 +986,28 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
>    * @buf: pointer to buffer data
>    * @buf_len: length of buffer data (in bytes)
>    * @hash: measure buffer data hash
> + * @digest: buffer digest will be written to
>    *
>    * Measure data critical to the integrity of the kernel into the IMA log
>    * and extend the pcr.  Examples of critical data could be various data
>    * structures, policies, and states stored in kernel memory that can
>    * impact the integrity of the system.
>    *
> - * Returns 0 if the buffer has been successfully measured, a negative value
> - * otherwise.
> + * Returns 0 if the buffer has been successfully measured, 1 if the digest
> + * has been written to the passed location but not added to a measurement entry,
> + * a negative value otherwise.
>    */
>   int ima_measure_critical_data(const char *event_label,
>   			      const char *event_name,
>   			      const void *buf, size_t buf_len,
> -			      bool hash)
> +			      bool hash, u8 *digest)
>   {
>   	if (!event_name || !event_label || !buf || !buf_len)
>   		return -ENOPARAM;
>   
>   	return process_buffer_measurement(&init_user_ns, NULL, buf, buf_len,
>   					  event_name, CRITICAL_DATA, 0,
> -					  event_label, hash);
> +					  event_label, hash, digest);
>   }
>   
>   static int __init init_ima(void)
> diff --git a/security/integrity/ima/ima_queue_keys.c b/security/integrity/ima/ima_queue_keys.c
> index e3047ce64f39..ac00a4778a91 100644
> --- a/security/integrity/ima/ima_queue_keys.c
> +++ b/security/integrity/ima/ima_queue_keys.c
> @@ -166,7 +166,7 @@ void ima_process_queued_keys(void)
>   							 entry->keyring_name,
>   							 KEY_CHECK, 0,
>   							 entry->keyring_name,
> -							 false);
> +							 false, NULL);
>   		list_del(&entry->list);
>   		ima_free_key_entry(entry);
>   	}
> diff --git a/security/selinux/ima.c b/security/selinux/ima.c
> index 4db9fa211638..96bd7ead8081 100644
> --- a/security/selinux/ima.c
> +++ b/security/selinux/ima.c
> @@ -88,7 +88,7 @@ void selinux_ima_measure_state_locked(struct selinux_state *state)
>   
>   	measure_rc = ima_measure_critical_data("selinux", "selinux-state",
>   					       state_str, strlen(state_str),
> -					       false);
> +					       false, NULL);
>   
>   	kfree(state_str);
>   
> @@ -105,7 +105,7 @@ void selinux_ima_measure_state_locked(struct selinux_state *state)
>   	}
>   
>   	measure_rc = ima_measure_critical_data("selinux", "selinux-policy-hash",
> -					       policy, policy_len, true);
> +					       policy, policy_len, true, NULL);
>   
>   	vfree(policy);
>   }
> 