From: Prakhar Srivastava <prsriva02@gmail.com>
To: linux-integrity@vger.kernel.org,
linux-secuirty-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: zohar@linux.ibm.com, ebiederm@xmission.com, vgoyal@redhat.com,
nayna@linux.ibm.com, Prakhar Srivastava <prsriva02@gmail.com>
Subject: [PATCH v3 4/4] added LSM hook to call ima_buffer_check
Date: Mon, 29 Apr 2019 14:47:43 -0700 [thread overview]
Message-ID: <20190429214743.4625-5-prsriva02@gmail.com> (raw)
In-Reply-To: <20190429214743.4625-1-prsriva02@gmail.com>
From: Prakhar Srivastava <prsriva02@gmail.com>
added LSM hook to call ima_buffer_check
Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com>
---
include/linux/lsm_hooks.h | 3 +++
include/linux/security.h | 3 +++
kernel/kexec_internal.h | 4 +++-
security/security.c | 6 ++++++
4 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index a240a3fc5fc4..f18562c1eb24 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1672,6 +1672,8 @@ union security_list_options {
int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
+ int (*buffer_check)(const void *buff, int size, const char *eventname);
+
#ifdef CONFIG_SECURITY_NETWORK
int (*unix_stream_connect)(struct sock *sock, struct sock *other,
struct sock *newsk);
@@ -1945,6 +1947,7 @@ struct security_hook_heads {
struct hlist_head inode_notifysecctx;
struct hlist_head inode_setsecctx;
struct hlist_head inode_getsecctx;
+ struct hlist_head buffer_check;
#ifdef CONFIG_SECURITY_NETWORK
struct hlist_head unix_stream_connect;
struct hlist_head unix_may_send;
diff --git a/include/linux/security.h b/include/linux/security.h
index 49f2685324b0..8dece6da0dda 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -388,6 +388,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+void security_buffer_measure(const void *buff, int size, char *eventname);
#else /* CONFIG_SECURITY */
static inline int call_lsm_notifier(enum lsm_event event, void *data)
@@ -1188,6 +1189,8 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
{
return -EOPNOTSUPP;
}
+static inline void security_buffer_measure(const void *buff, int size, char *eventname)
+{ }
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK
diff --git a/kernel/kexec_internal.h b/kernel/kexec_internal.h
index 48aaf2ac0d0d..9f967fbb5aa0 100644
--- a/kernel/kexec_internal.h
+++ b/kernel/kexec_internal.h
@@ -12,7 +12,9 @@ int kimage_load_segment(struct kimage *image, struct kexec_segment *segment);
void kimage_terminate(struct kimage *image);
int kimage_is_destination_range(struct kimage *image,
unsigned long start, unsigned long end);
-
+int kexec_cmdline_prepend_img_name(char **outbuf, int kernel_fd,
+ const char *cmdline_ptr,
+ unsigned long cmdline_len);
extern struct mutex kexec_mutex;
#ifdef CONFIG_KEXEC_FILE
diff --git a/security/security.c b/security/security.c
index 23cbb1a295a3..2b575a40470e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -754,6 +754,12 @@ int security_bprm_check(struct linux_binprm *bprm)
return ima_bprm_check(bprm);
}
+void security_buffer_measure(const void *buff, int size, char *eventname)
+{
+ call_void_hook(buffer_check, buff, size, eventname);
+ return ima_buffer_check(buff, size, eventname);
+}
+
void security_bprm_committing_creds(struct linux_binprm *bprm)
{
call_void_hook(bprm_committing_creds, bprm);
--
2.19.1
next prev parent reply other threads:[~2019-04-29 21:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-29 21:47 [PATCH v3 0/4] Add a new ima_hook buffer_check to measure buffers critical for attestation Prakhar Srivastava
2019-04-29 21:47 ` [PATCH v3 1/4] added a new ima policy func buffer_check, and ima hook to measure the buffer hash into ima Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
2019-04-29 21:47 ` [PATCH v3 2/4] add the buffer to the xattr Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
2019-04-29 21:47 ` [PATCH v3 3/4] add kexec_cmdline used to ima Prakhar Srivastava
2019-05-02 16:52 ` Mimi Zohar
2019-05-02 16:58 ` Al Viro
2019-04-29 21:47 ` Prakhar Srivastava [this message]
2019-05-02 16:52 ` [PATCH v3 4/4] added LSM hook to call ima_buffer_check Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190429214743.4625-5-prsriva02@gmail.com \
--to=prsriva02@gmail.com \
--cc=ebiederm@xmission.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-secuirty-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.