[PATCH 2/2] SELinux: Measure state and hash of policy using IMA
Lakshmi Ramasubramanian
nramas at linux.microsoft.com
Thu Aug 13 18:03:04 UTC 2020
On 8/13/20 10:58 AM, Stephen Smalley wrote:
> On Thu, Aug 13, 2020 at 1:52 PM Lakshmi Ramasubramanian
> <nramas at linux.microsoft.com> wrote:
>>
>> On 8/13/20 10:42 AM, Stephen Smalley wrote:
>>
>>>> diff --git a/security/selinux/measure.c b/security/selinux/measure.c
>>>> new file mode 100644
>>>> index 000000000000..f21b7de4e2ae
>>>> --- /dev/null
>>>> +++ b/security/selinux/measure.c
>>>> @@ -0,0 +1,204 @@
>>>> +static int selinux_hash_buffer(void *buf, size_t buf_len,
>>>> + void **buf_hash, int *buf_hash_len)
>>>> +{
>>>> + struct crypto_shash *tfm;
>>>> + struct shash_desc *desc = NULL;
>>>> + void *digest = NULL;
>>>> + int desc_size;
>>>> + int digest_size;
>>>> + int ret = 0;
>>>> +
>>>> + tfm = crypto_alloc_shash("sha256", 0, 0);
>>>> + if (IS_ERR(tfm))
>>>> + return PTR_ERR(tfm);
>>> Can we make the algorithm selectable via kernel parameter and/or writing
>>> to a new selinuxfs node?
>>
>> I can add a kernel parameter to select this hash algorithm.
>
> Also can we provide a Kconfig option for the default value like IMA does?
>
Would we need both - Kconfig and kernel param?
The other option is to provide an IMA function to return the current
hash algorithm used for measurement. That way a consistent hash
algorithm can be employed by both IMA and the callers. Would that be better?
-lakshmi
More information about the Linux-security-module-archive
mailing list