[PATCH 3/3] IMA: add support to measure duplicate buffer for critical data hook

Mimi Zohar zohar at linux.ibm.com
Mon Feb 8 20:24:37 UTC 2021


Hi Tushar,

On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote:

> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
> 
> index c096ef8945c7..fbf359495fa8 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)
>   */
>  int ima_add_template_entry(struct ima_template_entry *entry, int violation,
>  			   const char *op, struct inode *inode,
> -			   const unsigned char *filename)
> +			   const unsigned char *filename, bool allow_dup)
>  {
>  	u8 *digest = entry->digests[ima_hash_algo_idx].digest;
> 
 	struct tpm_digestate_entry(struct ima_template_entry *entry, int violation,
>  
>  	mutex_lock(&ima_extend_list_mutex);
>  	if (!violation) {
> -		if (ima_lookup_digest_entry(digest, entry->pcr)) {
> +		if (!allow_dup &&
> +		    ima_lookup_digest_entry(digest, entry->pcr)) {

Can't this change be simplified to "if (!violation && !allow_dup)"?

Also perhaps instead of passing another variable "allow_dup" to each of
these functions, pass a mask containing violation and allow_dup.

>  			audit_cause = "hash_exists";
>  			result = -EEXIST;
>  			goto out;

thanks,

Mimi



More information about the Linux-security-module-archive mailing list