From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, dhowells@redhat.com,
matthewgarrett@google.com, sashal@kernel.org,
jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v5 05/10] IMA: Measure key if the IMA policy allows measurement for the keyring to which the key is linked to
Date: Mon, 11 Nov 2019 11:32:58 -0800 [thread overview]
Message-ID: <20191111193303.12781-6-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191111193303.12781-1-nramas@linux.microsoft.com>
process_buffer_measurement() needs to check if the keyring to which
the given key is linked to is listed in the keyrings option in
the IMA policy.
This patch adds a new parameter "keyring" to process_buffer_measurement().
If process_buffer_measurement() is called with func KEYRING_CHECK and
the name of the keyring to which the key is linked to, then the given
key is measured if:
1, IMA policy did not specify "keyrings=" option.
2, Or, the given keyring name is listed in the "keyrings=" option.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
security/integrity/ima/ima.h | 2 +-
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_main.c | 26 ++++++++++++++++++++++++--
3 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 387829afb9a2..f15199f7ff2a 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -221,7 +221,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
struct ima_template_desc *template_desc);
void process_buffer_measurement(const void *buf, int size,
const char *eventname, enum ima_hooks func,
- int pcr);
+ int pcr, const char *keyring);
void ima_audit_measurement(struct integrity_iint_cache *iint,
const unsigned char *filename);
int ima_alloc_init_template(struct ima_event_data *event_data,
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 47ad4f56c0a8..a9649b04b9f1 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -330,7 +330,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
process_buffer_measurement(digest, digestsize,
"blacklisted-hash", NONE,
- pcr);
+ pcr, NULL);
}
return rc;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 68e15ff1fe8d..1bd5dbd8a077 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -632,12 +632,22 @@ int ima_load_data(enum kernel_load_data_id id)
* @eventname: event name to be used for the buffer entry.
* @func: IMA hook
* @pcr: pcr to extend the measurement
+ * @keyring: keyring for the measurement
+ *
+ * The following scenarios are possible with respect to
+ * the parameter "keyring":
+ * 1, keyring is NULL. In this case buffer is measured.
+ * 2, keyring is not NULL, but ima_get_action returned
+ * a NULL keyrings. In this case also the buffer is measured.
+ * 3, keyring is not NULL and ima_get_action returned
+ * a non-NULL keyrings. In this case measure the buffer
+ * only if the given keyring is present in the keyrings.
*
* Based on policy, the buffer is measured into the ima log.
*/
void process_buffer_measurement(const void *buf, int size,
const char *eventname, enum ima_hooks func,
- int pcr)
+ int pcr, const char *keyring)
{
int ret = 0;
struct ima_template_entry *entry = NULL;
@@ -656,6 +666,13 @@ void process_buffer_measurement(const void *buf, int size,
int action = 0;
u32 secid;
+ /*
+ * If IMA is not yet initialized or IMA policy is empty
+ * then there is no need to measure.
+ */
+ if (!ima_policy_flag)
+ return;
+
/*
* Both LSM hooks and auxilary based buffer measurements are
* based on policy. To avoid code duplication, differentiate
@@ -671,6 +688,11 @@ void process_buffer_measurement(const void *buf, int size,
return;
}
+ if ((keyring != NULL) && (keyrings != NULL)
+ && (strstr(keyrings, keyring) == NULL)) {
+ return;
+ }
+
if (!pcr)
pcr = CONFIG_IMA_MEASURE_PCR_IDX;
@@ -719,7 +741,7 @@ void ima_kexec_cmdline(const void *buf, int size)
{
if (buf && size != 0)
process_buffer_measurement(buf, size, "kexec-cmdline",
- KEXEC_CMDLINE, 0);
+ KEXEC_CMDLINE, 0, NULL);
}
static int __init init_ima(void)
--
2.17.1
next prev parent reply other threads:[~2019-11-11 19:33 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-11 19:32 [PATCH v5 0/10] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-11 19:32 ` [PATCH v5 01/10] IMA: Added KEYRING_CHECK func in IMA policy to measure keys Lakshmi Ramasubramanian
2019-11-12 17:04 ` Mimi Zohar
2019-11-12 17:37 ` Lakshmi Ramasubramanian
2019-11-11 19:32 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Lakshmi Ramasubramanian
2019-11-12 17:05 ` Mimi Zohar
2019-11-12 17:43 ` Lakshmi Ramasubramanian
2019-11-12 17:58 ` Mimi Zohar
2019-11-11 19:32 ` [PATCH v5 03/10] IMA: Read keyrings= option from the IMA policy into ima_rule_entry Lakshmi Ramasubramanian
2019-11-11 19:32 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Lakshmi Ramasubramanian
2019-11-12 17:05 ` Mimi Zohar
2019-11-12 17:47 ` Lakshmi Ramasubramanian
2019-11-12 18:06 ` Mimi Zohar
2019-11-11 19:32 ` Lakshmi Ramasubramanian [this message]
2019-11-11 19:32 ` [PATCH v5 06/10] IMA: Defined an IMA hook to measure keys on key create or update Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 07/10] KEYS: Call the IMA hook to measure key when a new key is created or an existing key is updated Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 08/10] IMA: Added a flag to determine whether IMA hook can process the key now or has to queue for processing later Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 09/10] IMA: Defined functions to queue and dequeue keys for measurement Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 10/10] IMA: Call queue and dequeue functions to measure keys Lakshmi Ramasubramanian
2019-11-11 19:41 ` [PATCH v5 0/10] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-12 17:08 ` Mimi Zohar
2019-11-12 17:52 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191111193303.12781-6-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).