ima: pass iint to ima_add_violation()
This patch adds the iint associated to the current inode as a new parameter of ima_add_violation(). The passed iint is always not NULL if a violation is detected. This modification will be used to determine the inode for which there is a violation. Since the 'd' and 'd-ng' template field init() functions were detecting a violation from the value of the iint pointer, they now check the new field 'violation', added to the 'ima_event_data' structure. Changelog: - v1: - modified an old comment (Roberto Sassu) Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Родитель
23b5741932
Коммит
8d94eb9b5c
|
@ -59,6 +59,7 @@ struct ima_event_data {
|
||||||
const unsigned char *filename;
|
const unsigned char *filename;
|
||||||
struct evm_ima_xattr_data *xattr_value;
|
struct evm_ima_xattr_data *xattr_value;
|
||||||
int xattr_len;
|
int xattr_len;
|
||||||
|
const char *violation;
|
||||||
};
|
};
|
||||||
|
|
||||||
/* IMA template field data definition */
|
/* IMA template field data definition */
|
||||||
|
@ -110,6 +111,7 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data,
|
||||||
struct ima_digest_data *hash);
|
struct ima_digest_data *hash);
|
||||||
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
|
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
|
||||||
void ima_add_violation(struct file *file, const unsigned char *filename,
|
void ima_add_violation(struct file *file, const unsigned char *filename,
|
||||||
|
struct integrity_iint_cache *iint,
|
||||||
const char *op, const char *cause);
|
const char *op, const char *cause);
|
||||||
int ima_init_crypto(void);
|
int ima_init_crypto(void);
|
||||||
void ima_putc(struct seq_file *m, void *data, int datalen);
|
void ima_putc(struct seq_file *m, void *data, int datalen);
|
||||||
|
|
|
@ -126,11 +126,13 @@ int ima_store_template(struct ima_template_entry *entry,
|
||||||
* value is invalidated.
|
* value is invalidated.
|
||||||
*/
|
*/
|
||||||
void ima_add_violation(struct file *file, const unsigned char *filename,
|
void ima_add_violation(struct file *file, const unsigned char *filename,
|
||||||
|
struct integrity_iint_cache *iint,
|
||||||
const char *op, const char *cause)
|
const char *op, const char *cause)
|
||||||
{
|
{
|
||||||
struct ima_template_entry *entry;
|
struct ima_template_entry *entry;
|
||||||
struct inode *inode = file_inode(file);
|
struct inode *inode = file_inode(file);
|
||||||
struct ima_event_data event_data = {NULL, file, filename, NULL, 0};
|
struct ima_event_data event_data = {iint, file, filename, NULL, 0,
|
||||||
|
cause};
|
||||||
int violation = 1;
|
int violation = 1;
|
||||||
int result;
|
int result;
|
||||||
|
|
||||||
|
@ -264,8 +266,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
|
||||||
int result = -ENOMEM;
|
int result = -ENOMEM;
|
||||||
struct inode *inode = file_inode(file);
|
struct inode *inode = file_inode(file);
|
||||||
struct ima_template_entry *entry;
|
struct ima_template_entry *entry;
|
||||||
struct ima_event_data event_data = {iint, file, filename,
|
struct ima_event_data event_data = {iint, file, filename, xattr_value,
|
||||||
xattr_value, xattr_len};
|
xattr_len, NULL};
|
||||||
int violation = 0;
|
int violation = 0;
|
||||||
|
|
||||||
if (iint->flags & IMA_MEASURED)
|
if (iint->flags & IMA_MEASURED)
|
||||||
|
|
|
@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void)
|
||||||
struct ima_template_entry *entry;
|
struct ima_template_entry *entry;
|
||||||
struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
|
struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
|
||||||
struct ima_event_data event_data = {iint, NULL, boot_aggregate_name,
|
struct ima_event_data event_data = {iint, NULL, boot_aggregate_name,
|
||||||
NULL, 0};
|
NULL, 0, NULL};
|
||||||
int result = -ENOMEM;
|
int result = -ENOMEM;
|
||||||
int violation = 0;
|
int violation = 0;
|
||||||
struct {
|
struct {
|
||||||
|
|
|
@ -106,9 +106,10 @@ static void ima_rdwr_violation_check(struct file *file,
|
||||||
*pathname = ima_d_path(&file->f_path, pathbuf);
|
*pathname = ima_d_path(&file->f_path, pathbuf);
|
||||||
|
|
||||||
if (send_tomtou)
|
if (send_tomtou)
|
||||||
ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU");
|
ima_add_violation(file, *pathname, iint,
|
||||||
|
"invalid_pcr", "ToMToU");
|
||||||
if (send_writers)
|
if (send_writers)
|
||||||
ima_add_violation(file, *pathname,
|
ima_add_violation(file, *pathname, iint,
|
||||||
"invalid_pcr", "open_writers");
|
"invalid_pcr", "open_writers");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -209,7 +209,7 @@ int ima_eventdigest_init(struct ima_event_data *event_data,
|
||||||
|
|
||||||
memset(&hash, 0, sizeof(hash));
|
memset(&hash, 0, sizeof(hash));
|
||||||
|
|
||||||
if (!event_data->iint) /* recording a violation. */
|
if (event_data->violation) /* recording a violation. */
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) {
|
if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) {
|
||||||
|
@ -247,8 +247,7 @@ int ima_eventdigest_ng_init(struct ima_event_data *event_data,
|
||||||
u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
|
u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
|
||||||
u32 cur_digestsize = 0;
|
u32 cur_digestsize = 0;
|
||||||
|
|
||||||
/* If iint is NULL, we are recording a violation. */
|
if (event_data->violation) /* recording a violation. */
|
||||||
if (!event_data->iint)
|
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
cur_digest = event_data->iint->ima_hash->digest;
|
cur_digest = event_data->iint->ima_hash->digest;
|
||||||
|
|
Загрузка…
Ссылка в новой задаче