[PATCH v3 06/13] diglim: IMA info

Roberto Sassu roberto.sassu at huawei.com
Tue Sep 14 16:33:54 UTC 2021


Introduce diglim_ima_get_info() to retrieve the digest and the actions
performed by IMA on the passed digest list file or buffer.

diglim_ima_get_info() requires the caller to write-lock the file to ensure
that the file content the integrity status is retrieved from didn't change
since the time the buffer passed as argument was filled.

Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
---
 MAINTAINERS                        |   1 +
 security/integrity/diglim/Makefile |   2 +-
 security/integrity/diglim/diglim.h |   6 ++
 security/integrity/diglim/ima.c    | 122 +++++++++++++++++++++++++++++
 security/integrity/integrity.h     |   4 +
 5 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 security/integrity/diglim/ima.c

diff --git a/MAINTAINERS b/MAINTAINERS
index f5959936d490..f10690dda734 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -5514,6 +5514,7 @@ F:	Documentation/security/diglim/introduction.rst
 F:	include/linux/diglim.h
 F:	include/uapi/linux/diglim.h
 F:	security/integrity/diglim/diglim.h
+F:	security/integrity/diglim/ima.c
 F:	security/integrity/diglim/methods.c
 F:	security/integrity/diglim/parser.c
 
diff --git a/security/integrity/diglim/Makefile b/security/integrity/diglim/Makefile
index 34e4e154fff3..880dc5300792 100644
--- a/security/integrity/diglim/Makefile
+++ b/security/integrity/diglim/Makefile
@@ -5,4 +5,4 @@
 
 obj-$(CONFIG_DIGLIM) += diglim.o
 
-diglim-y := methods.o parser.o
+diglim-y := methods.o parser.o ima.o
diff --git a/security/integrity/diglim/diglim.h b/security/integrity/diglim/diglim.h
index afdb0affdc5e..ebe8936520b5 100644
--- a/security/integrity/diglim/diglim.h
+++ b/security/integrity/diglim/diglim.h
@@ -22,6 +22,8 @@
 #include <linux/hash_info.h>
 #include <linux/diglim.h>
 
+#include "../integrity.h"
+
 #define MAX_DIGEST_SIZE 64
 #define HASH_BITS 10
 #define DIGLIM_HTABLE_SIZE (1 << HASH_BITS)
@@ -221,4 +223,8 @@ void digest_list_del(u8 *digest, enum hash_algo algo, u8 actions,
 
 int digest_list_parse(loff_t size, void *buf, enum ops op, u8 actions,
 		      u8 *digest, enum hash_algo algo, const char *label);
+
+int diglim_ima_get_info(struct file *file, u8 *buffer, size_t buffer_len,
+			char *event_name, u8 *digest, size_t digest_len,
+			enum hash_algo *algo, u8 *actions);
 #endif /*__DIGLIM_INTERNAL_H*/
diff --git a/security/integrity/diglim/ima.c b/security/integrity/diglim/ima.c
new file mode 100644
index 000000000000..2cc1ec1299f8
--- /dev/null
+++ b/security/integrity/diglim/ima.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2021 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu at huawei.com>
+ *
+ * Functions to retrieve the integrity status from IMA.
+ */
+
+#include <linux/vmalloc.h>
+#include <linux/module.h>
+#include <linux/ima.h>
+
+#include "diglim.h"
+
+static int diglim_ima_get_info_file(struct file *file, u8 *digest,
+				    size_t digest_len, enum hash_algo *algo,
+				    u8 *actions)
+{
+	struct integrity_iint_cache *iint;
+	struct inode *inode = file_inode(file);
+	int ret = -ENOENT;
+
+	iint = integrity_iint_find(inode);
+	if (!iint)
+		return ret;
+
+	mutex_lock(&iint->mutex);
+	/* File digest has not been calculated. */
+	if (!(iint->flags & IMA_COLLECTED))
+		goto out;
+
+	ret = 0;
+
+	if (iint->flags & IMA_MEASURED)
+		*actions |= 1 << COMPACT_ACTION_IMA_MEASURED;
+
+	if (iint->flags & IMA_APPRAISED)
+		*actions |= 1 << COMPACT_ACTION_IMA_APPRAISED;
+
+	if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
+		*actions |= 1 << COMPACT_ACTION_IMA_APPRAISED_DIGSIG;
+
+	if (algo)
+		*algo = iint->ima_hash->algo;
+	if (digest)
+		memcpy(digest, iint->ima_hash->digest, hash_digest_size[*algo]);
+out:
+	mutex_unlock(&iint->mutex);
+	return ret;
+}
+
+static int diglim_ima_get_info_buffer(u8 *buffer, size_t buffer_len,
+				      char *event_name, u8 *digest,
+				      size_t digest_len, enum hash_algo *algo,
+				      u8 *actions)
+{
+	int ret;
+
+	ret = ima_measure_critical_data("diglim", event_name, buffer,
+					buffer_len, false, digest, digest_len);
+	if (ret < 0 && ret != -EEXIST)
+		return -ENOENT;
+
+	*algo = ima_get_current_hash_algo();
+
+	if (!ret || ret == -EEXIST)
+		*actions |= 1 << COMPACT_ACTION_IMA_MEASURED;
+
+	return 0;
+}
+
+/**
+ * diglim_ima_get_info - retrieve the integrity status of digest list from IMA
+ * @file: file to retrieve the integrity status from
+ * @buffer: buffer to retrieve the integrity status from (alternative to file)
+ * @buffer_len: buffer length
+ * @event_name: name of the event to be generated by IMA for buffer measurement
+ * @digest: digest of the file or the buffer
+ * @digest_len: digest length
+ * @algo: digest algorithm
+ * @actions: actions performed on the file or the buffer
+ *
+ * This function attempts to retrieve some information from the passed digest
+ * list file or buffer: the digest, its algorithm, and the actions performed by
+ * IMA.
+ *
+ * This function first attempts to retrieve the information from the file, and
+ * if unsuccessful, attempts with the buffer.
+ *
+ * The caller must prevent writes to the file with deny_write_access() to ensure
+ * that the file content the integrity status is retrieved from didn't change
+ * since the time the buffer passed as argument was filled.
+ *
+ * Return: 0 if the information has been successfully retrieved, -ENOENT
+ *         otherwise.
+ */
+int diglim_ima_get_info(struct file *file, u8 *buffer, size_t buffer_len,
+			char *event_name, u8 *digest, size_t digest_len,
+			enum hash_algo *algo, u8 *actions)
+{
+	int ret = -ENOENT;
+
+	/* Ensure that the file is write-locked. */
+	if (file && atomic_read(&file_inode(file)->i_writecount) >= 0)
+		return -EINVAL;
+
+	if (file) {
+		ret = diglim_ima_get_info_file(file, digest, digest_len, algo,
+					       actions);
+		if (!ret && (*actions & (1 << COMPACT_ACTION_IMA_MEASURED)))
+			return ret;
+	}
+
+	if (buffer) {
+		ret = diglim_ima_get_info_buffer(buffer, buffer_len, event_name,
+						 digest, digest_len, algo,
+						 actions);
+	}
+
+	return ret;
+}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 74919b638f52..de5dde382f11 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -6,6 +6,9 @@
  * Mimi Zohar <zohar at us.ibm.com>
  */
 
+#ifndef __INTEGRITY_H
+#define __INTEGRITY_H
+
 #ifdef pr_fmt
 #undef pr_fmt
 #endif
@@ -285,3 +288,4 @@ static inline void __init add_to_platform_keyring(const char *source,
 {
 }
 #endif
+#endif /*__INTEGRITY_H*/
-- 
2.25.1



More information about the Linux-security-module-archive mailing list