[RFC][PATCH v4 7/9] ima: Load verified usage from digest cache found from query
Roberto Sassu
roberto.sassu at huaweicloud.com
Tue Nov 19 11:01:01 UTC 2024
From: Roberto Sassu <roberto.sassu at huawei.com>
Introduce ima_digest_cache_load_verified_usage() to retrieve the verified
usage from the digest cache pointer returned by digest_cache_lookup().
Verified usage cannot be loaded from the digest cache returned by
digest_cache_get() since the latter might return a directory digest cache,
which does not contain any verification data (only set to digest caches
populated from a file).
If digest_cache_lookup() returns the ERR_PTR(-EAGAIN) error pointer,
replace the digest cache pointer in the inode integrity metadata, by
calling digest_cache_get() again, and perform the lookup.
ERR_PTR(-EAGAIN) is returned if the digest cache currently stored in the
inode integrity metadata changed between digest_cache_get() and
digest_cache_lookup(). In this case, getting a fresh digest cache is
necessary to see which changes have been made on the digest cache.
Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
---
security/integrity/ima/ima_digest_cache.c | 42 +++++++++++++++++++++++
security/integrity/ima/ima_digest_cache.h | 9 +++++
2 files changed, 51 insertions(+)
diff --git a/security/integrity/ima/ima_digest_cache.c b/security/integrity/ima/ima_digest_cache.c
index 2c7824ce05cd..b6bd6f9d5442 100644
--- a/security/integrity/ima/ima_digest_cache.c
+++ b/security/integrity/ima/ima_digest_cache.c
@@ -82,3 +82,45 @@ void ima_digest_cache_store_verified_usage(struct file *file,
pr_debug("Cannot set verified usage for %s, ret: %d, ignoring\n",
file_dentry(file)->d_name.name, rc);
}
+
+/**
+ * ima_digest_cache_load_verified_usage - Load verified usage from digest cache
+ * @file: File descriptor of the inode for which the digest cache will be used
+ * @iint: Inode integrity metadata
+ *
+ * Load digest cache verified usage from the digest cache returned by
+ * digest_cache_lookup(), containing the file digest calculated by IMA (if the
+ * digest is found).
+ *
+ * Return: Verified usage if digest is found in digest cache, zero otherwise.
+ */
+u64 ima_digest_cache_load_verified_usage(struct file *file,
+ struct ima_iint_cache *iint)
+{
+ u64 verified_usage = 0ULL;
+ void *verified_usage_ptr;
+ struct digest_cache *found_cache;
+again:
+ if (!iint->digest_cache)
+ return 0ULL;
+
+ /* Do lookup to get digest cache containing calculated file digest. */
+ found_cache = digest_cache_lookup(file_dentry(file), iint->digest_cache,
+ iint->ima_hash->digest,
+ iint->ima_hash->algo);
+ if (!found_cache) {
+ return 0ULL;
+ } else if (found_cache == ERR_PTR(-EAGAIN)) {
+ digest_cache_put(iint->digest_cache);
+ iint->digest_cache = digest_cache_get(file);
+ goto again;
+ }
+
+ /* Get verification data from digest cache with calculated digest. */
+ verified_usage_ptr = digest_cache_verif_get(found_cache, "ima");
+ if (verified_usage_ptr)
+ verified_usage = *(u64 *)verified_usage_ptr;
+
+ digest_cache_put(found_cache);
+ return verified_usage;
+}
diff --git a/security/integrity/ima/ima_digest_cache.h b/security/integrity/ima/ima_digest_cache.h
index 167690930078..23cb53ed02e5 100644
--- a/security/integrity/ima/ima_digest_cache.h
+++ b/security/integrity/ima/ima_digest_cache.h
@@ -14,6 +14,8 @@ bool ima_digest_cache_get_check(struct file *file,
struct ima_iint_cache *iint);
void ima_digest_cache_store_verified_usage(struct file *file,
struct ima_iint_cache *iint);
+u64 ima_digest_cache_load_verified_usage(struct file *file,
+ struct ima_iint_cache *iint);
#else
static inline bool ima_digest_cache_get_check(struct file *file,
struct ima_iint_cache *iint)
@@ -26,4 +28,11 @@ ima_digest_cache_store_verified_usage(struct file *file,
struct ima_iint_cache *iint)
{ }
+static inline u64
+ima_digest_cache_load_verified_usage(struct file *file,
+ struct ima_iint_cache *iint)
+{
+ return 0ULL;
+}
+
#endif /* CONFIG_INTEGRITY_DIGEST_CACHE */
--
2.47.0.118.gfd3785337b
More information about the Linux-security-module-archive
mailing list