ima: Define ima-modsig template
Define new "d-modsig" template field which holds the digest that is expected to match the one contained in the modsig, and also new "modsig" template field which holds the appended file signature. Add a new "ima-modsig" defined template descriptor with the new fields as well as the ones from the "ima-sig" descriptor. Change ima_store_measurement() to accept a struct modsig * argument so that it can be passed along to the templates via struct ima_event_data. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Thiago Jung Bauermann
committed by
Mimi Zohar
Mimi Zohar
parent
15588227e0
commit
3878d505aa
@@ -6,6 +6,9 @@
|
||||
* ima_policy.c
|
||||
* - initialize default measure policy rules
|
||||
*/
|
||||
|
||||
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||
|
||||
#include <linux/init.h>
|
||||
#include <linux/list.h>
|
||||
#include <linux/fs.h>
|
||||
@@ -845,6 +848,38 @@ static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
|
||||
ima_log_string_op(ab, key, value, NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* Validating the appended signature included in the measurement list requires
|
||||
* the file hash calculated without the appended signature (i.e., the 'd-modsig'
|
||||
* field). Therefore, notify the user if they have the 'modsig' field but not
|
||||
* the 'd-modsig' field in the template.
|
||||
*/
|
||||
static void check_template_modsig(const struct ima_template_desc *template)
|
||||
{
|
||||
#define MSG "template with 'modsig' field also needs 'd-modsig' field\n"
|
||||
bool has_modsig, has_dmodsig;
|
||||
static bool checked;
|
||||
int i;
|
||||
|
||||
/* We only need to notify the user once. */
|
||||
if (checked)
|
||||
return;
|
||||
|
||||
has_modsig = has_dmodsig = false;
|
||||
for (i = 0; i < template->num_fields; i++) {
|
||||
if (!strcmp(template->fields[i]->field_id, "modsig"))
|
||||
has_modsig = true;
|
||||
else if (!strcmp(template->fields[i]->field_id, "d-modsig"))
|
||||
has_dmodsig = true;
|
||||
}
|
||||
|
||||
if (has_modsig && !has_dmodsig)
|
||||
pr_notice(MSG);
|
||||
|
||||
checked = true;
|
||||
#undef MSG
|
||||
}
|
||||
|
||||
static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
|
||||
{
|
||||
struct audit_buffer *ab;
|
||||
@@ -1187,6 +1222,12 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
|
||||
else if (entry->action == APPRAISE)
|
||||
temp_ima_appraise |= ima_appraise_flag(entry->func);
|
||||
|
||||
if (!result && entry->flags & IMA_MODSIG_ALLOWED) {
|
||||
template_desc = entry->template ? entry->template :
|
||||
ima_template_desc_current();
|
||||
check_template_modsig(template_desc);
|
||||
}
|
||||
|
||||
audit_log_format(ab, "res=%d", !result);
|
||||
audit_log_end(ab);
|
||||
return result;
|
||||
|
||||
Reference in New Issue
Block a user