From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-integrity@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>, <linux-doc@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v2 07/15] ima: add parser of compact digest list
Date: Tue, 7 Nov 2017 11:37:02 +0100 [thread overview]
Message-ID: <20171107103710.10883-8-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20171107103710.10883-1-roberto.sassu@huawei.com>
This patch introduces the parser for the compact digest list.
Its format is:
entry_id[2] count[4] data_len[4]
data[data_len]
entry_id[2] count[4] data_len[4]
data[data_len]
...
entry_id, count and data_len are in little endian.
This format is suitable to store a large number of digests, as there is no
metadata provided for each. Digests (which have all the same size) are
concatenated together and placed after the header.
COMPACT_DIGEST (0) and COMPACT_DIGEST_MUTABLE (1) entry IDs are supported.
If the entry ID is COMPACT_DIGEST and appraisal is in enforcing mode, file
updates are denied. If the entry ID is COMPACT_DIGEST_MUTABLE, file updates
are permitted.
Changelog
v1:
- Renamed COMPACT_LIST_ID_DIGEST to COMPACT_DIGEST
- Added support for immutable/mutable files
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/ima/ima_digest_list.c | 66 ++++++++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/security/integrity/ima/ima_digest_list.c b/security/integrity/ima/ima_digest_list.c
index 28172424e5a2..6ad00ba32c94 100644
--- a/security/integrity/ima/ima_digest_list.c
+++ b/security/integrity/ima/ima_digest_list.c
@@ -23,6 +23,69 @@ enum digest_metadata_fields {DATA_ALGO, DATA_DIGEST, DATA_SIGNATURE,
DATA_FILE_PATH, DATA_REF_ID, DATA_TYPE,
DATA__LAST};
+enum digest_data_types {DATA_TYPE_COMPACT_LIST};
+
+enum compact_list_entry_ids {COMPACT_DIGEST, COMPACT_DIGEST_MUTABLE};
+
+struct compact_list_hdr {
+ u16 entry_id;
+ u32 count;
+ u32 datalen;
+} __packed;
+
+static int ima_parse_compact_list(loff_t size, void *buf)
+{
+ void *bufp = buf, *bufendp = buf + size;
+ int digest_len = hash_digest_size[ima_hash_algo];
+ struct compact_list_hdr *hdr;
+ u8 is_mutable = 0;
+ int ret, i;
+
+ while (bufp < bufendp) {
+ if (bufp + sizeof(*hdr) > bufendp) {
+ pr_err("compact list, missing header\n");
+ return -EINVAL;
+ }
+
+ hdr = bufp;
+
+ if (ima_canonical_fmt) {
+ hdr->entry_id = le16_to_cpu(hdr->entry_id);
+ hdr->count = le32_to_cpu(hdr->count);
+ hdr->datalen = le32_to_cpu(hdr->datalen);
+ }
+
+ switch (hdr->entry_id) {
+ case COMPACT_DIGEST_MUTABLE:
+ is_mutable = 1;
+ case COMPACT_DIGEST:
+ break;
+ default:
+ pr_err("compact list, invalid data type\n");
+ return -EINVAL;
+ }
+
+ bufp += sizeof(*hdr);
+
+ for (i = 0; i < hdr->count &&
+ bufp + digest_len <= bufendp; i++) {
+ ret = ima_add_digest_data_entry(bufp, is_mutable);
+ if (ret < 0 && ret != -EEXIST)
+ return ret;
+
+ bufp += digest_len;
+ }
+
+ if (i != hdr->count ||
+ bufp != (void *)hdr + sizeof(*hdr) + hdr->datalen) {
+ pr_err("compact list, invalid data\n");
+ return -EINVAL;
+ }
+ }
+
+ return 0;
+}
+
static int ima_parse_digest_list_data(struct ima_field_data *data)
{
void *digest_list;
@@ -47,6 +110,9 @@ static int ima_parse_digest_list_data(struct ima_field_data *data)
}
switch (data_type) {
+ case DATA_TYPE_COMPACT_LIST:
+ ret = ima_parse_compact_list(digest_list_size, digest_list);
+ break;
default:
pr_err("Parser for data type %d not implemented\n", data_type);
ret = -EINVAL;
--
2.11.0
next prev parent reply other threads:[~2017-11-07 10:53 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 10:36 [PATCH v2 00/15] ima: digest list feature Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 01/15] ima: generalize ima_read_policy() Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 02/15] ima: generalize ima_write_policy() Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 03/15] ima: generalize policy file operations Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 04/15] ima: use ima_show_htable_value to show hash table data Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 05/15] ima: add functions to manage digest lists Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 06/15] ima: add parser of digest lists metadata Roberto Sassu
2017-11-18 4:20 ` Serge E. Hallyn
2017-11-18 23:23 ` Mimi Zohar
2017-11-20 9:40 ` Roberto Sassu
2017-11-20 13:53 ` Mimi Zohar
2017-11-20 16:52 ` Serge E. Hallyn
2017-11-07 10:37 ` Roberto Sassu [this message]
2017-11-07 10:37 ` [PATCH v2 08/15] ima: add parser of RPM package headers Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 09/15] ima: introduce securityfs interfaces for digest lists Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 10/15] ima: disable digest lookup if digest lists are not checked Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 11/15] ima: add policy action digest_list Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 12/15] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS Roberto Sassu
2017-11-18 4:25 ` Serge E. Hallyn
2017-11-07 10:37 ` [PATCH v2 13/15] evm: add kernel command line option to select protected xattrs Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 14/15] ima: add support for appraisal with digest lists Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 15/15] ima: add Documentation/security/IMA-digest-lists.txt Roberto Sassu
2017-11-07 13:37 ` [PATCH v2 00/15] ima: digest list feature Mimi Zohar
2017-11-07 16:45 ` Roberto Sassu
2017-11-17 1:08 ` Kees Cook
2017-11-17 8:55 ` Roberto Sassu
2017-11-17 12:21 ` Mimi Zohar
2017-11-07 14:49 ` Matthew Garrett
2017-11-07 17:53 ` Roberto Sassu
2017-11-07 18:06 ` Matthew Garrett
2017-11-08 12:00 ` Roberto Sassu
2017-11-08 15:48 ` Matthew Garrett
2017-11-09 9:51 ` Roberto Sassu
2017-11-09 14:47 ` Matthew Garrett
2017-11-09 16:13 ` Roberto Sassu
2017-11-09 16:46 ` Matthew Garrett
2017-11-09 17:23 ` Roberto Sassu
2017-11-09 16:17 ` Mimi Zohar
2017-11-07 18:03 ` Safford, David (GE Global Research, US)
2017-11-08 10:16 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171107103710.10883-8-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=silviu.vlasceanu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).