From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> To: zohar@linux.ibm.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Date: Mon, 11 Nov 2019 19:32:57 +0000 [thread overview] Message-ID: <20191111193303.12781-5-nramas@linux.microsoft.com> (raw) In-Reply-To: <20191111193303.12781-1-nramas@linux.microsoft.com> keyrings option read from the IMA policy needs to be provided to the callers that determine the action to be performed. This patch updates ima_get_action() and ima_match_policy() functions to return the keyrings option specified in the IMA policy. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> --- security/integrity/ima/ima.h | 6 ++++-- security/integrity/ima/ima_api.c | 8 +++++--- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_main.c | 5 +++-- security/integrity/ima/ima_policy.c | 7 ++++++- 5 files changed, 19 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 7f23405b2718..387829afb9a2 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -208,7 +208,8 @@ struct modsig; /* LIM API function definitions */ int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, - struct ima_template_desc **template_desc); + struct ima_template_desc **template_desc, + char **keyrings); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, @@ -235,7 +236,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, - struct ima_template_desc **template_desc); + struct ima_template_desc **template_desc, + char **keyrings); void ima_init_policy(void); void ima_update_policy(void); void ima_update_policy_flag(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 610759fe63b8..fa2cd71ddf1a 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -169,12 +169,13 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @func: caller identifier * @pcr: pointer filled in if matched measure policy sets pcr * @template_desc: pointer filled in if matched measure policy sets template+ * @keyrings: pointer filled in if matched measure policy sets keyrings * * The policy is defined in terms of keypairs: * subj=, obj=, type=, func=, mask=, fsmagic * subj,obj, and type: are LSM specific. * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK - * | KEXEC_CMDLINE + * | KEXEC_CMDLINE | KEYRING_CHECK * mask: contains the permission mask * fsmagic: hex value * @@ -183,14 +184,15 @@ void ima_add_violation(struct file *file, const unsigned char *filename, */ int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, - struct ima_template_desc **template_desc) + struct ima_template_desc **template_desc, + char **keyrings) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; flags &= ima_policy_flag; return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, - template_desc); + template_desc, keyrings); } /* diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 300c8d2943c5..47ad4f56c0a8 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -55,7 +55,7 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) security_task_getsecid(current, &secid); return ima_match_policy(inode, current_cred(), secid, func, mask, - IMA_APPRAISE | IMA_HASH, NULL, NULL); + IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); } static int ima_fix_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d7e987baf127..68e15ff1fe8d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -215,7 +215,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * Included is the appraise submask. */ action = ima_get_action(inode, cred, secid, mask, func, &pcr, - &template_desc); + &template_desc, NULL); violation_check = ((func = FILE_CHECK || func = MMAP_CHECK) && (ima_policy_flag & IMA_MEASURE)); if (!action && !violation_check) @@ -647,6 +647,7 @@ void process_buffer_measurement(const void *buf, int size, .buf = buf, .buf_len = size}; struct ima_template_desc *template = NULL; + char *keyrings = NULL; struct { struct ima_digest_data hdr; char digest[IMA_MAX_DIGEST_SIZE]; @@ -665,7 +666,7 @@ void process_buffer_measurement(const void *buf, int size, if (func) { security_task_getsecid(current, &secid); action = ima_get_action(NULL, current_cred(), secid, 0, func, - &pcr, &template); + &pcr, &template, &keyrings); if (!(action & IMA_MEASURE)) return; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 1aee3c8b9cf6..d1889eee9287 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -481,6 +481,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend * @template_desc: the template that should be used for this rule + * @keyrings: set the keyrings for this rule, if specified * * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) * conditions. @@ -491,7 +492,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) */ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, - struct ima_template_desc **template_desc) + struct ima_template_desc **template_desc, + char **keyrings) { struct ima_rule_entry *entry; int action = 0, actmask = flags | (flags << 1); @@ -527,6 +529,9 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, if ((pcr) && (entry->flags & IMA_PCR)) *pcr = entry->pcr; + if ((keyrings) && (entry->flags & IMA_KEYRINGS)) + *keyrings = entry->keyrings; + if (template_desc && entry->template) *template_desc = entry->template; -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> To: zohar@linux.ibm.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Date: Mon, 11 Nov 2019 11:32:57 -0800 [thread overview] Message-ID: <20191111193303.12781-5-nramas@linux.microsoft.com> (raw) In-Reply-To: <20191111193303.12781-1-nramas@linux.microsoft.com> keyrings option read from the IMA policy needs to be provided to the callers that determine the action to be performed. This patch updates ima_get_action() and ima_match_policy() functions to return the keyrings option specified in the IMA policy. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> --- security/integrity/ima/ima.h | 6 ++++-- security/integrity/ima/ima_api.c | 8 +++++--- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_main.c | 5 +++-- security/integrity/ima/ima_policy.c | 7 ++++++- 5 files changed, 19 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 7f23405b2718..387829afb9a2 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -208,7 +208,8 @@ struct modsig; /* LIM API function definitions */ int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, - struct ima_template_desc **template_desc); + struct ima_template_desc **template_desc, + char **keyrings); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, @@ -235,7 +236,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, - struct ima_template_desc **template_desc); + struct ima_template_desc **template_desc, + char **keyrings); void ima_init_policy(void); void ima_update_policy(void); void ima_update_policy_flag(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 610759fe63b8..fa2cd71ddf1a 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -169,12 +169,13 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @func: caller identifier * @pcr: pointer filled in if matched measure policy sets pcr= * @template_desc: pointer filled in if matched measure policy sets template= + * @keyrings: pointer filled in if matched measure policy sets keyrings= * * The policy is defined in terms of keypairs: * subj=, obj=, type=, func=, mask=, fsmagic= * subj,obj, and type: are LSM specific. * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK - * | KEXEC_CMDLINE + * | KEXEC_CMDLINE | KEYRING_CHECK * mask: contains the permission mask * fsmagic: hex value * @@ -183,14 +184,15 @@ void ima_add_violation(struct file *file, const unsigned char *filename, */ int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, - struct ima_template_desc **template_desc) + struct ima_template_desc **template_desc, + char **keyrings) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; flags &= ima_policy_flag; return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, - template_desc); + template_desc, keyrings); } /* diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 300c8d2943c5..47ad4f56c0a8 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -55,7 +55,7 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) security_task_getsecid(current, &secid); return ima_match_policy(inode, current_cred(), secid, func, mask, - IMA_APPRAISE | IMA_HASH, NULL, NULL); + IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); } static int ima_fix_xattr(struct dentry *dentry, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d7e987baf127..68e15ff1fe8d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -215,7 +215,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * Included is the appraise submask. */ action = ima_get_action(inode, cred, secid, mask, func, &pcr, - &template_desc); + &template_desc, NULL); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && (ima_policy_flag & IMA_MEASURE)); if (!action && !violation_check) @@ -647,6 +647,7 @@ void process_buffer_measurement(const void *buf, int size, .buf = buf, .buf_len = size}; struct ima_template_desc *template = NULL; + char *keyrings = NULL; struct { struct ima_digest_data hdr; char digest[IMA_MAX_DIGEST_SIZE]; @@ -665,7 +666,7 @@ void process_buffer_measurement(const void *buf, int size, if (func) { security_task_getsecid(current, &secid); action = ima_get_action(NULL, current_cred(), secid, 0, func, - &pcr, &template); + &pcr, &template, &keyrings); if (!(action & IMA_MEASURE)) return; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 1aee3c8b9cf6..d1889eee9287 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -481,6 +481,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend * @template_desc: the template that should be used for this rule + * @keyrings: set the keyrings for this rule, if specified * * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) * conditions. @@ -491,7 +492,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) */ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, - struct ima_template_desc **template_desc) + struct ima_template_desc **template_desc, + char **keyrings) { struct ima_rule_entry *entry; int action = 0, actmask = flags | (flags << 1); @@ -527,6 +529,9 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, if ((pcr) && (entry->flags & IMA_PCR)) *pcr = entry->pcr; + if ((keyrings) && (entry->flags & IMA_KEYRINGS)) + *keyrings = entry->keyrings; + if (template_desc && entry->template) *template_desc = entry->template; -- 2.17.1
next prev parent reply other threads:[~2019-11-11 19:32 UTC|newest] Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-11 19:32 [PATCH v5 0/10] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian 2019-11-11 19:32 ` Lakshmi Ramasubramanian 2019-11-11 19:32 ` [PATCH v5 01/10] IMA: Added KEYRING_CHECK func in IMA policy to measure keys Lakshmi Ramasubramanian 2019-11-11 19:32 ` Lakshmi Ramasubramanian 2019-11-12 17:04 ` Mimi Zohar 2019-11-12 17:04 ` Mimi Zohar 2019-11-12 17:37 ` Lakshmi Ramasubramanian 2019-11-12 17:37 ` Lakshmi Ramasubramanian 2019-11-11 19:32 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specifi Lakshmi Ramasubramanian 2019-11-11 19:32 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Lakshmi Ramasubramanian 2019-11-12 17:05 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the spe Mimi Zohar 2019-11-12 17:05 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Mimi Zohar 2019-11-12 17:43 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the spe Lakshmi Ramasubramanian 2019-11-12 17:43 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Lakshmi Ramasubramanian 2019-11-12 17:58 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the spe Mimi Zohar 2019-11-12 17:58 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Mimi Zohar 2019-11-11 19:32 ` [PATCH v5 03/10] IMA: Read keyrings= option from the IMA policy into ima_rule_entry Lakshmi Ramasubramanian 2019-11-11 19:32 ` Lakshmi Ramasubramanian 2019-11-11 19:32 ` Lakshmi Ramasubramanian [this message] 2019-11-11 19:32 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Lakshmi Ramasubramanian 2019-11-12 17:05 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the polic Mimi Zohar 2019-11-12 17:05 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Mimi Zohar 2019-11-12 17:47 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the polic Lakshmi Ramasubramanian 2019-11-12 17:47 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Lakshmi Ramasubramanian 2019-11-12 18:06 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the polic Mimi Zohar 2019-11-12 18:06 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Mimi Zohar 2019-11-11 19:32 ` [PATCH v5 05/10] IMA: Measure key if the IMA policy allows measurement for the keyring to which the Lakshmi Ramasubramanian 2019-11-11 19:32 ` [PATCH v5 05/10] IMA: Measure key if the IMA policy allows measurement for the keyring to which the key is linked to Lakshmi Ramasubramanian 2019-11-11 19:32 ` [PATCH v5 06/10] IMA: Defined an IMA hook to measure keys on key create or update Lakshmi Ramasubramanian 2019-11-11 19:32 ` Lakshmi Ramasubramanian 2019-11-11 19:33 ` [PATCH v5 07/10] KEYS: Call the IMA hook to measure key when a new key is created or an existing key Lakshmi Ramasubramanian 2019-11-11 19:33 ` [PATCH v5 07/10] KEYS: Call the IMA hook to measure key when a new key is created or an existing key is updated Lakshmi Ramasubramanian 2019-11-11 19:33 ` [PATCH v5 08/10] IMA: Added a flag to determine whether IMA hook can process the key now or has to q Lakshmi Ramasubramanian 2019-11-11 19:33 ` [PATCH v5 08/10] IMA: Added a flag to determine whether IMA hook can process the key now or has to queue for processing later Lakshmi Ramasubramanian 2019-11-11 19:33 ` [PATCH v5 09/10] IMA: Defined functions to queue and dequeue keys for measurement Lakshmi Ramasubramanian 2019-11-11 19:33 ` Lakshmi Ramasubramanian 2019-11-11 19:33 ` [PATCH v5 10/10] IMA: Call queue and dequeue functions to measure keys Lakshmi Ramasubramanian 2019-11-11 19:33 ` Lakshmi Ramasubramanian 2019-11-11 19:41 ` [PATCH v5 0/10] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian 2019-11-11 19:41 ` Lakshmi Ramasubramanian 2019-11-12 17:08 ` Mimi Zohar 2019-11-12 17:08 ` Mimi Zohar 2019-11-12 17:52 ` Lakshmi Ramasubramanian 2019-11-12 17:52 ` Lakshmi Ramasubramanian
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20191111193303.12781-5-nramas@linux.microsoft.com \ --to=nramas@linux.microsoft.com \ --cc=dhowells@redhat.com \ --cc=jamorris@linux.microsoft.com \ --cc=keyrings@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=matthewgarrett@google.com \ --cc=sashal@kernel.org \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.