diff options
| author | Zbigniew Jasinski <z.jasinski@samsung.com> | 2014-04-07 18:03:03 +0200 |
|---|---|---|
| committer | Dmitry Kasatkin <dmitry.kasatkin@huawei.com> | 2015-10-22 22:33:58 +0300 |
| commit | 0afeafd7c3c06a3ff7b14e034bd609f00078683b (patch) | |
| tree | cb21416f80e6b7242df3515a66f55243902b40b1 | |
| parent | f28564203104fc50bf5f2b0decccd7df77ce6f90 (diff) | |
| download | linux-digsig-ima-policy.tar.gz | |
ima: add new template field for inode appraisal statusima-policy
Extends file measurement list by adding additional field to template,
showing inode cache appraisal status flags. Template format can be
specified for example like: "d-ng|n-ng|status".
Refactored by Dmitry:
* removed Kconfig options
* removed set_cach_last_func
* changed data type to u8 hex for status
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
| -rw-r--r-- | security/integrity/ima/ima_appraise.c | 1 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 6 | ||||
| -rw-r--r-- | security/integrity/ima/ima_template.c | 3 | ||||
| -rw-r--r-- | security/integrity/ima/ima_template_lib.c | 30 | ||||
| -rw-r--r-- | security/integrity/ima/ima_template_lib.h | 2 | ||||
| -rw-r--r-- | security/integrity/integrity.h | 1 |
6 files changed, 40 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 5be77dac3c094..b4a1d29d89c28 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -110,6 +110,7 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint, iint->ima_file_status = status; break; } + iint->last_function = func; } static void ima_cache_flags(struct integrity_iint_cache *iint, int func) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index f2e68d6029b70..47f80d387c1f4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -257,15 +257,15 @@ static int process_measurement(struct file *file, int mask, int function, if (!pathname) /* ima_rdwr_violation possibly pre-fetched */ pathname = ima_d_path(&file->f_path, &pathbuf); - if (action & IMA_MEASURE) - ima_store_measurement(iint, file, pathname, - xattr_value, xattr_len); if (action & IMA_APPRAISE_SUBMASK) { mutex_lock(&inode->i_mutex); rc = ima_appraise_measurement(function, iint, file, pathname, xattr_value, xattr_len, opened); mutex_unlock(&inode->i_mutex); } + if (action & IMA_MEASURE) + ima_store_measurement(iint, file, pathname, + xattr_value, xattr_len); if (action & IMA_AUDIT) ima_audit_measurement(iint, pathname); out_locked: diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index cf10db93e47dc..f17c7755718de 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -22,6 +22,7 @@ static struct ima_template_desc defined_templates[] = { {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, {.name = "ima-ng", .fmt = "d-ng|n-ng"}, {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, + {.name = "ima-ng-ctrl", .fmt = "d-ng|n-ng|status"}, {.name = "", .fmt = ""}, /* placeholder for a custom format */ }; @@ -36,6 +37,8 @@ static struct ima_template_field supported_fields[] = { .field_show = ima_show_template_string}, {.field_id = "sig", .field_init = ima_eventsig_init, .field_show = ima_show_template_hex}, + {.field_id = "status", .field_init = ima_eventstatus_init, + .field_show = ima_show_template_hex}, }; static struct ima_template_desc *ima_template; diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 1f745112eccf7..b3feefb6c0512 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -327,3 +327,33 @@ int ima_eventsig_init(struct ima_event_data *event_data, out: return rc; } + +int ima_eventstatus_init(struct ima_event_data *event_data, + struct ima_field_data *field_data) +{ + u8 status = INTEGRITY_UNKNOWN; + struct integrity_iint_cache *iint = event_data->iint; + + if (!iint) + goto out; + + switch (iint->last_function) { + case MMAP_CHECK: + status = iint->ima_mmap_status; + break; + case BPRM_CHECK: + status = iint->ima_bprm_status; + break; + case MODULE_CHECK: + status = iint->ima_module_status; + break; + case FILE_CHECK: + default: + status = iint->ima_file_status; + break; + } + +out: + return ima_write_template_field_data(&status, sizeof(status), + DATA_FMT_HEX, field_data); +} diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h index 46e3f4d208c16..525075441a3f4 100644 --- a/security/integrity/ima/ima_template_lib.h +++ b/security/integrity/ima/ima_template_lib.h @@ -36,4 +36,6 @@ int ima_eventname_ng_init(struct ima_event_data *event_data, struct ima_field_data *field_data); int ima_eventsig_init(struct ima_event_data *event_data, struct ima_field_data *field_data); +int ima_eventstatus_init(struct ima_event_data *event_data, + struct ima_field_data *field_data); #endif /* __LINUX_IMA_TEMPLATE_LIB_H */ diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 9028a68a6c547..84b61141bd502 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -125,6 +125,7 @@ struct integrity_iint_cache { u64 version; /* track inode changes */ unsigned long flags; unsigned long atomic_flags; + int last_function; enum integrity_status ima_file_status:4; enum integrity_status ima_mmap_status:4; enum integrity_status ima_bprm_status:4; |