From 19453ce0bcfbdf7332a104eebf5d835977af7284 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 19 Jun 2019 15:46:11 -0700 Subject: IMA: support for per policy rule template formats Admins may wish to log different measurements using different IMA templates. Add support for overriding the default template on a per-rule basis. Inspired-by: Roberto Sassu Signed-off-by: Matthew Garrett Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_template.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'security/integrity/ima/ima_template.c') diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index b631b8bc7624..00dd5a434689 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -47,10 +47,6 @@ static const struct ima_template_field supported_fields[] = { #define MAX_TEMPLATE_NAME_LEN 15 static struct ima_template_desc *ima_template; -static struct ima_template_desc *lookup_template_desc(const char *name); -static int template_desc_init_fields(const char *template_fmt, - const struct ima_template_field ***fields, - int *num_fields); static int __init ima_template_setup(char *str) { @@ -108,7 +104,7 @@ static int __init ima_template_fmt_setup(char *str) } __setup("ima_template_fmt=", ima_template_fmt_setup); -static struct ima_template_desc *lookup_template_desc(const char *name) +struct ima_template_desc *lookup_template_desc(const char *name) { struct ima_template_desc *template_desc; int found = 0; @@ -153,9 +149,9 @@ static int template_fmt_size(const char *template_fmt) return j + 1; } -static int template_desc_init_fields(const char *template_fmt, - const struct ima_template_field ***fields, - int *num_fields) +int template_desc_init_fields(const char *template_fmt, + const struct ima_template_field ***fields, + int *num_fields) { const char *template_fmt_ptr; const struct ima_template_field *found_fields[IMA_TEMPLATE_NUM_FIELDS_MAX]; -- cgit v1.2.3 From 86b4da8c0e7fcb6c217c604efcd9438ad55dd055 Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava Date: Sun, 23 Jun 2019 23:23:30 -0700 Subject: IMA: Define a new template field buf A buffer(kexec boot command line arguments) measured into IMA measuremnt list cannot be appraised, without already being aware of the buffer contents. Since hashes are non-reversible, raw buffer is needed for validation or regenerating hash for appraisal/attestation. Add support to store/read the buffer contents in HEX. The kexec cmdline hash is stored in the "d-ng" field of the template data. It can be verified using sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum - Add two new fields to ima_event_data to hold the buf and buf_len - Add a new template field 'buf' to be used to store/read the buffer data. - Updated process_buffer_meaurement to add the buffer to ima_event_data. process_buffer_measurement added in "Define a new IMA hook to measure the boot command line arguments" - Add a new template policy name ima-buf to represent 'd-ng|n-ng|buf' Signed-off-by: Prakhar Srivastava Reviewed-by: Roberto Sassu Reviewed-by: James Morris Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_template.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'security/integrity/ima/ima_template.c') diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index 00dd5a434689..a01a17e5c581 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -26,6 +26,7 @@ static struct ima_template_desc builtin_templates[] = { {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, {.name = "ima-ng", .fmt = "d-ng|n-ng"}, {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, + {.name = "ima-buf", .fmt = "d-ng|n-ng|buf"}, {.name = "", .fmt = ""}, /* placeholder for a custom format */ }; @@ -43,6 +44,8 @@ static const struct ima_template_field supported_fields[] = { .field_show = ima_show_template_string}, {.field_id = "sig", .field_init = ima_eventsig_init, .field_show = ima_show_template_sig}, + {.field_id = "buf", .field_init = ima_eventbuf_init, + .field_show = ima_show_template_buf}, }; #define MAX_TEMPLATE_NAME_LEN 15 -- cgit v1.2.3 From 337619eb44ef663d329c5c19efd18488ce7de492 Mon Sep 17 00:00:00 2001 From: Thiago Jung Bauermann Date: Thu, 27 Jun 2019 20:25:46 -0300 Subject: ima: Update MAX_TEMPLATE_NAME_LEN to fit largest reasonable definition MAX_TEMPLATE_NAME_LEN is used when restoring measurements carried over from a kexec. It should be set to the length of a template containing all fields except for 'd' and 'n', which don't need to be accounted for since they shouldn't be defined in the same template description as 'd-ng' and 'n-ng'. That length is greater than the current 15, so update using a sizeof() to show where the number comes from and also can be visually shown to be correct. The sizeof() is calculated at compile time. Signed-off-by: Thiago Jung Bauermann Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_template.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'security/integrity/ima/ima_template.c') diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index a01a17e5c581..7343e8e0ae2f 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -47,7 +47,13 @@ static const struct ima_template_field supported_fields[] = { {.field_id = "buf", .field_init = ima_eventbuf_init, .field_show = ima_show_template_buf}, }; -#define MAX_TEMPLATE_NAME_LEN 15 + +/* + * Used when restoring measurements carried over from a kexec. 'd' and 'n' don't + * need to be accounted for since they shouldn't be defined in the same template + * description as 'd-ng' and 'n-ng' respectively. + */ +#define MAX_TEMPLATE_NAME_LEN sizeof("d-ng|n-ng|sig|buf") static struct ima_template_desc *ima_template; -- cgit v1.2.3