[PATCH 2/3] kexec: measure boot command line
From: Mimi Zohar
Date: Wed Jun 22 2016 - 09:35:36 EST
This patch defines the buffer identifier "KEXEC_CMDLINE_CHECK" for
measuring the boot command line.
eg: echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
---
Documentation/ABI/testing/ima_policy | 1 +
include/linux/ima.h | 1 +
kernel/kexec_file.c | 4 ++++
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_buffer.c | 2 ++
security/integrity/ima/ima_policy.c | 9 ++++++++-
6 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index bb0f9a1..5a99c6f 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -28,6 +28,7 @@ Description:
base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
[FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
+ [KEXEC_CMDLINE_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
fsmagic:= hex value
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 01319b3..88203f9 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -14,6 +14,7 @@
struct linux_binprm;
enum ima_buffer_id {
+ MEASURING_KEXEC_CMDLINE,
MEASURING_MAX_BUFFER_ID
};
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 503bc2d..acc8dad1 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -19,6 +19,7 @@
#include <linux/mutex.h>
#include <linux/list.h>
#include <linux/fs.h>
+#include <linux/ima.h>
#include <crypto/hash.h>
#include <crypto/sha.h>
#include <linux/syscalls.h>
@@ -178,6 +179,9 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
ret = -EINVAL;
goto out;
}
+
+ ima_buffer_check(image->cmdline_buf, cmdline_len - 1,
+ MEASURING_KEXEC_CMDLINE);
}
/* Call arch image load handlers */
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index cc2e77b..5f21a9a 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -150,6 +150,7 @@ enum ima_hooks {
FIRMWARE_CHECK,
KEXEC_KERNEL_CHECK,
KEXEC_INITRAMFS_CHECK,
+ KEXEC_CMDLINE_CHECK,
POLICY_CHECK,
MAX_CHECK
};
diff --git a/security/integrity/ima/ima_buffer.c b/security/integrity/ima/ima_buffer.c
index 84c9494..e74131b 100644
--- a/security/integrity/ima/ima_buffer.c
+++ b/security/integrity/ima/ima_buffer.c
@@ -20,6 +20,8 @@ struct buffer_idmap {
};
static struct buffer_idmap _idmap[MEASURING_MAX_BUFFER_ID] = {
+ [MEASURING_KEXEC_CMDLINE].func = KEXEC_CMDLINE_CHECK,
+ [MEASURING_KEXEC_CMDLINE].buf = "boot-cmdline",
};
static void process_buffer_measurement(void *buf, loff_t size,
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 521d612..8e53f84 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -663,6 +663,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
== 0)
entry->func = KEXEC_INITRAMFS_CHECK;
+ else if (strcmp(args[0].from, "KEXEC_CMDLINE_CHECK")
+ == 0)
+ entry->func = KEXEC_CMDLINE_CHECK;
else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
entry->func = POLICY_CHECK;
else
@@ -926,7 +929,7 @@ enum {
func_file = 0, func_mmap, func_bprm,
func_module, func_firmware, func_post,
func_kexec_kernel, func_kexec_initramfs,
- func_policy
+ func_kexec_cmdline, func_policy
};
static char *func_tokens[] = {
@@ -938,6 +941,7 @@ static char *func_tokens[] = {
"POST_SETATTR",
"KEXEC_KERNEL_CHECK",
"KEXEC_INITRAMFS_CHECK",
+ "KEXEC_CMDLINE_CHECK",
"POLICY_CHECK"
};
@@ -1009,6 +1013,9 @@ static void policy_func_show(struct seq_file *m, enum ima_hooks func)
case KEXEC_INITRAMFS_CHECK:
seq_printf(m, pt(Opt_func), ft(func_kexec_initramfs));
break;
+ case KEXEC_CMDLINE_CHECK:
+ seq_printf(m, pt(Opt_func), ft(func_kexec_cmdline));
+ break;
case POLICY_CHECK:
seq_printf(m, pt(Opt_func), ft(func_policy));
break;
--
2.1.0