From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, stephen.smalley@gmail.com, casey@schaufler-ca.com
Cc: jmorris@namei.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 2/5] IMA: Define an IMA hook to measure LSM data
Date: Fri, 12 Jun 2020 19:41:27 -0700 [thread overview]
Message-ID: <20200613024130.3356-3-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20200613024130.3356-1-nramas@linux.microsoft.com>
LSM requires an IMA hook to be defined by the IMA subsystem to measure
the data gathered from the security modules.
Define a new IMA hook, namely ima_lsm_state(), that the LSM will call
to measure the data gathered from the security modules.
Sample IMA log entry for LSM measurement:
10 47eed9... ima-buf sha256:402f6b... lsm-state:selinux 656e61626c65643d313b656e666f7263696e673d30
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
include/linux/ima.h | 4 ++++
security/integrity/ima/ima_main.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 9164e1534ec9..56681a648b3d 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -26,6 +26,7 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
extern void ima_post_path_mknod(struct dentry *dentry);
extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);
extern void ima_kexec_cmdline(const void *buf, int size);
+extern void ima_lsm_state(const char *lsm_name, const void *buf, int size);
#ifdef CONFIG_IMA_KEXEC
extern void ima_add_kexec_buffer(struct kimage *image);
@@ -104,6 +105,9 @@ static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size)
}
static inline void ima_kexec_cmdline(const void *buf, int size) {}
+
+static inline void ima_lsm_state(const char *lsm_name,
+ const void *buf, int size) {}
#endif /* CONFIG_IMA */
#ifndef CONFIG_IMA_KEXEC
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index c1583d98c5e5..34be962054fb 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -827,6 +827,36 @@ void ima_kexec_cmdline(const void *buf, int size)
KEXEC_CMDLINE, 0, NULL);
}
+/**
+ * ima_lsm_state - measure LSM specific state
+ * @lsm_name: Name of the LSM
+ * @buf: pointer to buffer containing LSM specific state
+ * @size: Number of bytes in buf
+ *
+ * Buffers can only be measured, not appraised.
+ */
+void ima_lsm_state(const char *lsm_name, const void *buf, int size)
+{
+ const char *eventname = "lsm-state:";
+ char *lsmstatestring;
+ int lsmstatelen;
+
+ if (!lsm_name || !buf || !size)
+ return;
+
+ lsmstatelen = strlen(eventname) + strlen(lsm_name) + 1;
+ lsmstatestring = kzalloc(lsmstatelen, GFP_KERNEL);
+ if (!lsmstatestring)
+ return;
+
+ strcpy(lsmstatestring, eventname);
+ strcat(lsmstatestring, lsm_name);
+
+ process_buffer_measurement(buf, size, lsmstatestring,
+ LSM_STATE, 0, NULL);
+ kfree(lsmstatestring);
+}
+
static int __init init_ima(void)
{
int error;
--
2.27.0
next prev parent reply other threads:[~2020-06-13 2:41 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-13 2:41 [PATCH 0/5] LSM: Measure security module state Lakshmi Ramasubramanian
2020-06-13 2:41 ` [PATCH 1/5] IMA: Add LSM_STATE func to measure LSM data Lakshmi Ramasubramanian
2020-06-13 2:41 ` Lakshmi Ramasubramanian [this message]
2020-06-13 2:41 ` [PATCH 3/5] LSM: Add security_state function pointer in lsm_info struct Lakshmi Ramasubramanian
2020-06-13 2:41 ` [PATCH 4/5] LSM: Define SELinux function to measure security state Lakshmi Ramasubramanian
2020-06-15 11:57 ` Stephen Smalley
2020-06-15 12:15 ` Stephen Smalley
2020-06-15 16:45 ` Lakshmi Ramasubramanian
2020-06-15 17:33 ` Casey Schaufler
2020-06-15 17:44 ` Mimi Zohar
2020-06-15 23:18 ` Casey Schaufler
2020-06-16 0:44 ` Mimi Zohar
2020-06-16 8:38 ` John Johansen
2020-06-15 20:31 ` Stephen Smalley
2020-06-13 2:41 ` [PATCH 5/5] LSM: Define workqueue for measuring security module state Lakshmi Ramasubramanian
2020-06-15 13:33 ` Stephen Smalley
2020-06-15 14:59 ` Mimi Zohar
2020-06-15 15:47 ` Stephen Smalley
2020-06-15 16:10 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200613024130.3356-3-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=stephen.smalley@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.