mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	IMA: Define a new hook to measure the kexec boot command line arguments
Currently during soft reboot(kexec_file_load) boot command line arguments are not measured. Define hooks needed to measure kexec command line arguments during soft reboot(kexec_file_load). - A new ima hook ima_kexec_cmdline is defined to be called by the kexec code. - A new function process_buffer_measurement is defined to measure the buffer hash into the IMA measurement list. - A new func policy KEXEC_CMDLINE is defined to control the measurement. Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
		
							parent
							
								
									19453ce0bc
								
							
						
					
					
						commit
						b0935123a1
					
				| @ -28,6 +28,7 @@ Description: | |||||||
| 		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] | 		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] | ||||||
| 				[FIRMWARE_CHECK] | 				[FIRMWARE_CHECK] | ||||||
| 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] | 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] | ||||||
|  | 				[KEXEC_CMDLINE] | ||||||
| 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] | 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] | ||||||
| 			       [[^]MAY_EXEC] | 			       [[^]MAY_EXEC] | ||||||
| 			fsmagic:= hex value | 			fsmagic:= hex value | ||||||
|  | |||||||
| @ -26,6 +26,7 @@ extern int ima_read_file(struct file *file, enum kernel_read_file_id id); | |||||||
| extern int ima_post_read_file(struct file *file, void *buf, loff_t size, | extern int ima_post_read_file(struct file *file, void *buf, loff_t size, | ||||||
| 			      enum kernel_read_file_id id); | 			      enum kernel_read_file_id id); | ||||||
| extern void ima_post_path_mknod(struct dentry *dentry); | extern void ima_post_path_mknod(struct dentry *dentry); | ||||||
|  | extern void ima_kexec_cmdline(const void *buf, int size); | ||||||
| 
 | 
 | ||||||
| #ifdef CONFIG_IMA_KEXEC | #ifdef CONFIG_IMA_KEXEC | ||||||
| extern void ima_add_kexec_buffer(struct kimage *image); | extern void ima_add_kexec_buffer(struct kimage *image); | ||||||
| @ -92,6 +93,7 @@ static inline void ima_post_path_mknod(struct dentry *dentry) | |||||||
| 	return; | 	return; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | static inline void ima_kexec_cmdline(const void *buf, int size) {} | ||||||
| #endif /* CONFIG_IMA */ | #endif /* CONFIG_IMA */ | ||||||
| 
 | 
 | ||||||
| #ifndef CONFIG_IMA_KEXEC | #ifndef CONFIG_IMA_KEXEC | ||||||
|  | |||||||
| @ -190,6 +190,7 @@ static inline unsigned long ima_hash_key(u8 *digest) | |||||||
| 	hook(KEXEC_KERNEL_CHECK)	\ | 	hook(KEXEC_KERNEL_CHECK)	\ | ||||||
| 	hook(KEXEC_INITRAMFS_CHECK)	\ | 	hook(KEXEC_INITRAMFS_CHECK)	\ | ||||||
| 	hook(POLICY_CHECK)		\ | 	hook(POLICY_CHECK)		\ | ||||||
|  | 	hook(KEXEC_CMDLINE)		\ | ||||||
| 	hook(MAX_CHECK) | 	hook(MAX_CHECK) | ||||||
| #define __ima_hook_enumify(ENUM)	ENUM, | #define __ima_hook_enumify(ENUM)	ENUM, | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -178,6 +178,7 @@ err_out: | |||||||
|  *		subj=, obj=, type=, func=, mask=, fsmagic= |  *		subj=, obj=, type=, func=, mask=, fsmagic= | ||||||
|  *	subj,obj, and type: are LSM specific. |  *	subj,obj, and type: are LSM specific. | ||||||
|  *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK |  *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK | ||||||
|  |  *	| KEXEC_CMDLINE | ||||||
|  *	mask: contains the permission mask |  *	mask: contains the permission mask | ||||||
|  *	fsmagic: hex value |  *	fsmagic: hex value | ||||||
|  * |  * | ||||||
|  | |||||||
| @ -609,6 +609,78 @@ int ima_load_data(enum kernel_load_data_id id) | |||||||
| 	return 0; | 	return 0; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | /*
 | ||||||
|  |  * process_buffer_measurement - Measure the buffer to ima log. | ||||||
|  |  * @buf: pointer to the buffer that needs to be added to the log. | ||||||
|  |  * @size: size of buffer(in bytes). | ||||||
|  |  * @eventname: event name to be used for the buffer entry. | ||||||
|  |  * @cred: a pointer to a credentials structure for user validation. | ||||||
|  |  * @secid: the secid of the task to be validated. | ||||||
|  |  * | ||||||
|  |  * Based on policy, the buffer is measured into the ima log. | ||||||
|  |  */ | ||||||
|  | static void process_buffer_measurement(const void *buf, int size, | ||||||
|  | 				       const char *eventname, | ||||||
|  | 				       const struct cred *cred, u32 secid) | ||||||
|  | { | ||||||
|  | 	int ret = 0; | ||||||
|  | 	struct ima_template_entry *entry = NULL; | ||||||
|  | 	struct integrity_iint_cache iint = {}; | ||||||
|  | 	struct ima_event_data event_data = {.iint = &iint, | ||||||
|  | 					    .filename = eventname}; | ||||||
|  | 	struct ima_template_desc *template_desc = NULL; | ||||||
|  | 	struct { | ||||||
|  | 		struct ima_digest_data hdr; | ||||||
|  | 		char digest[IMA_MAX_DIGEST_SIZE]; | ||||||
|  | 	} hash = {}; | ||||||
|  | 	int violation = 0; | ||||||
|  | 	int pcr = CONFIG_IMA_MEASURE_PCR_IDX; | ||||||
|  | 	int action = 0; | ||||||
|  | 
 | ||||||
|  | 	action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr, | ||||||
|  | 				&template_desc); | ||||||
|  | 	if (!(action & IMA_MEASURE)) | ||||||
|  | 		return; | ||||||
|  | 
 | ||||||
|  | 	iint.ima_hash = &hash.hdr; | ||||||
|  | 	iint.ima_hash->algo = ima_hash_algo; | ||||||
|  | 	iint.ima_hash->length = hash_digest_size[ima_hash_algo]; | ||||||
|  | 
 | ||||||
|  | 	ret = ima_calc_buffer_hash(buf, size, iint.ima_hash); | ||||||
|  | 	if (ret < 0) | ||||||
|  | 		goto out; | ||||||
|  | 
 | ||||||
|  | 	ret = ima_alloc_init_template(&event_data, &entry, template_desc); | ||||||
|  | 	if (ret < 0) | ||||||
|  | 		goto out; | ||||||
|  | 
 | ||||||
|  | 	ret = ima_store_template(entry, violation, NULL, buf, pcr); | ||||||
|  | 
 | ||||||
|  | 	if (ret < 0) | ||||||
|  | 		ima_free_template_entry(entry); | ||||||
|  | 
 | ||||||
|  | out: | ||||||
|  | 	return; | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | /**
 | ||||||
|  |  * ima_kexec_cmdline - measure kexec cmdline boot args | ||||||
|  |  * @buf: pointer to buffer | ||||||
|  |  * @size: size of buffer | ||||||
|  |  * | ||||||
|  |  * Buffers can only be measured, not appraised. | ||||||
|  |  */ | ||||||
|  | void ima_kexec_cmdline(const void *buf, int size) | ||||||
|  | { | ||||||
|  | 	u32 secid; | ||||||
|  | 
 | ||||||
|  | 	if (buf && size != 0) { | ||||||
|  | 		security_task_getsecid(current, &secid); | ||||||
|  | 		process_buffer_measurement(buf, size, "kexec-cmdline", | ||||||
|  | 					   current_cred(), secid); | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  | 
 | ||||||
| static int __init init_ima(void) | static int __init init_ima(void) | ||||||
| { | { | ||||||
| 	int error; | 	int error; | ||||||
|  | |||||||
| @ -374,6 +374,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, | |||||||
| { | { | ||||||
| 	int i; | 	int i; | ||||||
| 
 | 
 | ||||||
|  | 	if (func == KEXEC_CMDLINE) { | ||||||
|  | 		if ((rule->flags & IMA_FUNC) && (rule->func == func)) | ||||||
|  | 			return true; | ||||||
|  | 		return false; | ||||||
|  | 	} | ||||||
| 	if ((rule->flags & IMA_FUNC) && | 	if ((rule->flags & IMA_FUNC) && | ||||||
| 	    (rule->func != func && func != POST_SETATTR)) | 	    (rule->func != func && func != POST_SETATTR)) | ||||||
| 		return false; | 		return false; | ||||||
| @ -956,6 +961,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) | |||||||
| 				entry->func = KEXEC_INITRAMFS_CHECK; | 				entry->func = KEXEC_INITRAMFS_CHECK; | ||||||
| 			else if (strcmp(args[0].from, "POLICY_CHECK") == 0) | 			else if (strcmp(args[0].from, "POLICY_CHECK") == 0) | ||||||
| 				entry->func = POLICY_CHECK; | 				entry->func = POLICY_CHECK; | ||||||
|  | 			else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) | ||||||
|  | 				entry->func = KEXEC_CMDLINE; | ||||||
| 			else | 			else | ||||||
| 				result = -EINVAL; | 				result = -EINVAL; | ||||||
| 			if (!result) | 			if (!result) | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Prakhar Srivastava
						Prakhar Srivastava