ima: pass iint to ima_add_violation()

This patch adds the iint associated to the current inode as a new
parameter of ima_add_violation(). The passed iint is always not NULL
if a violation is detected. This modification will be used to determine
the inode for which there is a violation.

Since the 'd' and 'd-ng' template field init() functions were detecting
a violation from the value of the iint pointer, they now check the new
field 'violation', added to the 'ima_event_data' structure.

Changelog:
 - v1:
   - modified an old comment (Roberto Sassu)

Signed-off-by: Roberto Sassu <rsassu@suse.de>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Roberto Sassu 2015-04-11 17:12:39 +02:00 коммит произвёл Mimi Zohar
Родитель 23b5741932
Коммит 8d94eb9b5c
5 изменённых файлов: 13 добавлений и 9 удалений

Просмотреть файл

@ -59,6 +59,7 @@ struct ima_event_data {
const unsigned char *filename; const unsigned char *filename;
struct evm_ima_xattr_data *xattr_value; struct evm_ima_xattr_data *xattr_value;
int xattr_len; int xattr_len;
const char *violation;
}; };
/* IMA template field data definition */ /* IMA template field data definition */
@ -110,6 +111,7 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data,
struct ima_digest_data *hash); struct ima_digest_data *hash);
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
void ima_add_violation(struct file *file, const unsigned char *filename, void ima_add_violation(struct file *file, const unsigned char *filename,
struct integrity_iint_cache *iint,
const char *op, const char *cause); const char *op, const char *cause);
int ima_init_crypto(void); int ima_init_crypto(void);
void ima_putc(struct seq_file *m, void *data, int datalen); void ima_putc(struct seq_file *m, void *data, int datalen);

Просмотреть файл

@ -126,11 +126,13 @@ int ima_store_template(struct ima_template_entry *entry,
* value is invalidated. * value is invalidated.
*/ */
void ima_add_violation(struct file *file, const unsigned char *filename, void ima_add_violation(struct file *file, const unsigned char *filename,
struct integrity_iint_cache *iint,
const char *op, const char *cause) const char *op, const char *cause)
{ {
struct ima_template_entry *entry; struct ima_template_entry *entry;
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct ima_event_data event_data = {NULL, file, filename, NULL, 0}; struct ima_event_data event_data = {iint, file, filename, NULL, 0,
cause};
int violation = 1; int violation = 1;
int result; int result;
@ -264,8 +266,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
int result = -ENOMEM; int result = -ENOMEM;
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct ima_template_entry *entry; struct ima_template_entry *entry;
struct ima_event_data event_data = {iint, file, filename, struct ima_event_data event_data = {iint, file, filename, xattr_value,
xattr_value, xattr_len}; xattr_len, NULL};
int violation = 0; int violation = 0;
if (iint->flags & IMA_MEASURED) if (iint->flags & IMA_MEASURED)

Просмотреть файл

@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void)
struct ima_template_entry *entry; struct ima_template_entry *entry;
struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, struct ima_event_data event_data = {iint, NULL, boot_aggregate_name,
NULL, 0}; NULL, 0, NULL};
int result = -ENOMEM; int result = -ENOMEM;
int violation = 0; int violation = 0;
struct { struct {

Просмотреть файл

@ -106,9 +106,10 @@ static void ima_rdwr_violation_check(struct file *file,
*pathname = ima_d_path(&file->f_path, pathbuf); *pathname = ima_d_path(&file->f_path, pathbuf);
if (send_tomtou) if (send_tomtou)
ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU"); ima_add_violation(file, *pathname, iint,
"invalid_pcr", "ToMToU");
if (send_writers) if (send_writers)
ima_add_violation(file, *pathname, ima_add_violation(file, *pathname, iint,
"invalid_pcr", "open_writers"); "invalid_pcr", "open_writers");
} }

Просмотреть файл

@ -209,7 +209,7 @@ int ima_eventdigest_init(struct ima_event_data *event_data,
memset(&hash, 0, sizeof(hash)); memset(&hash, 0, sizeof(hash));
if (!event_data->iint) /* recording a violation. */ if (event_data->violation) /* recording a violation. */
goto out; goto out;
if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) { if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) {
@ -247,8 +247,7 @@ int ima_eventdigest_ng_init(struct ima_event_data *event_data,
u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1; u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
u32 cur_digestsize = 0; u32 cur_digestsize = 0;
/* If iint is NULL, we are recording a violation. */ if (event_data->violation) /* recording a violation. */
if (!event_data->iint)
goto out; goto out;
cur_digest = event_data->iint->ima_hash->digest; cur_digest = event_data->iint->ima_hash->digest;