Re: [PATCH 2/3] IMA:Define a new template field buf

From: Mimi Zohar
Date: Wed Jun 19 2019 - 11:12:29 EST


On Mon, 2019-06-17 at 11:35 -0700, Prakhar Srivastava wrote:
> A buffer(kexec boot command line arguments) measured into IMA
> measuremnt list cannot be appraised, without already being
> aware of the buffer contents. Since hashes are non-reversible,
> raw buffer is needed for validation or regenerating hash for
> appraisal/attestation.
>
> Add support to store/read the buffer contents in HEX.
> The kexec cmdline hash is stored in the "d-ng" field of the
> template data,it can be verified using
> sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements |
> grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum
>
> - Add two new fields to ima_event_data to hold the buf and
> buf_len [Suggested by Roberto]
> - Add a new temaplte field 'buf' to be used to store/read
> the buffer data.[Suggested by Mimi]
> - Updated process_buffer_meaurement to add the buffer to
> ima_event_data. process_buffer_measurement added in
> "Define a new IMA hook to measure the boot command line
> arguments"
> - Add a new template policy name ima-buf to represent
> 'd-ng|n-ng|buf'
>
> Signed-off-by: Prakhar Srivastava <prsriva02@xxxxxxxxx>
> Reviewed-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> Reviewed-by: James Morris <jamorris@xxxxxxxxxxxxxxxxxxx>

Thanks, looking much better.

>
> /* IMA template field data definition */
> diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> index ea7d8cbf712f..83ca99d65e4b 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -140,7 +140,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
> struct ima_template_entry *entry;
> struct inode *inode = file_inode(file);
> struct ima_event_data event_data = {iint, file, filename, NULL, 0,
> - cause};
> + cause, NULL, 0};
> int violation = 1;
> int result;
>
> @@ -296,7 +296,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
> struct inode *inode = file_inode(file);
> struct ima_template_entry *entry;
> struct ima_event_data event_data = {iint, file, filename, xattr_value,
> - xattr_len, NULL};
> + xattr_len, NULL, NULL, 0};
> int violation = 0;
>
> if (iint->measured_pcrs & (0x1 << pcr))
> diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> index 993d0f1915ff..c8591406c0e2 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void)
> struct ima_template_entry *entry;
> struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
> struct ima_event_data event_data = {iint, NULL, boot_aggregate_name,
> - NULL, 0, NULL};
> + NULL, 0, NULL, NULL, 0};
> int result = -ENOMEM;
> int violation = 0;
> struct {
>

These changes shouldn't be necessary. ÂPlease rebase these patches on
top of the latest next-queued-testing branch (git remote update). Â"IMA: support for per
policy rule template formats" is still changing.Â

Minor nit. ÂWhen re-posting the patches please update the patch titles
so that there is a space between the subsystem name and the patch
title (eg. "ima: define ...").

Mimi