[RFC][PATCH v2 06/12] diglim: Interfaces - digest_list_add, digest_list_del

Mimi Zohar zohar at linux.ibm.com
Thu Jul 29 21:20:42 UTC 2021


Hi Roberto,

On Mon, 2021-07-26 at 18:36 +0200, Roberto Sassu wrote:
> /*
> + * digest_list_read: read and parse the digest list from the path
> + */
> +static ssize_t digest_list_read(char *path, enum ops op)
> +{
> +       void *data = NULL;
> +       char *datap;
> +       size_t size;
> +       u8 actions = 0;
> +       struct file *file;
> +       char event_name[NAME_MAX + 9 + 1];
> +       u8 digest[IMA_MAX_DIGEST_SIZE] = { 0 };
> +       enum hash_algo algo;
> +       int rc, pathlen = strlen(path);
> +
> +       /* Remove \n. */
> +       datap = path;
> +       strsep(&datap, "\n");
> +
> +       file = filp_open(path, O_RDONLY, 0);
> +       if (IS_ERR(file)) {
> +               pr_err("unable to open file: %s (%ld)", path, PTR_ERR(file));
> +               return PTR_ERR(file);
> +       }
> +
> +       rc = kernel_read_file(file, 0, &data, INT_MAX, NULL,
> +                             READING_DIGEST_LIST);
> +       if (rc < 0) {
> +               pr_err("unable to read file: %s (%d)", path, rc);
> +               goto out;
> +       }
> +
> +       size = rc;
> +
> +       snprintf(event_name, sizeof(event_name), "%s_file_%s",
> +                op == DIGEST_LIST_ADD ? "add" : "del",
> +                file_dentry(file)->d_name.name);
> +
> +       rc = ima_measure_critical_data("diglim", event_name, data, size, false,
> +                                      digest, sizeof(digest));
> +       if (rc < 0 && rc != -EEXIST)
> +               goto out_vfree;

The digest lists could easily be measured while reading the digest list
file above in kernel_read_file().  What makes it "critical-data"?  In
the SELinux case, the in memory SELinux policy is being measured and
re-measured to make sure it hasn't been modified.  Is the digest list
file data being measured more than once?

I understand that with your changes to ima_measure_critical_data(),
which are now in next-integrity-testing branch, allow IMA to calculate
the file data hash.

thanks,

Mimi

> +
> +       algo = ima_get_current_hash_algo();
> +




More information about the Linux-security-module-archive mailing list