From 8d94eb9b5cff350ba170848c862ca0006d33d496 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Sat, 11 Apr 2015 17:12:39 +0200 Subject: [PATCH] ima: pass iint to ima_add_violation() This patch adds the iint associated to the current inode as a new parameter of ima_add_violation(). The passed iint is always not NULL if a violation is detected. This modification will be used to determine the inode for which there is a violation. Since the 'd' and 'd-ng' template field init() functions were detecting a violation from the value of the iint pointer, they now check the new field 'violation', added to the 'ima_event_data' structure. Changelog: - v1: - modified an old comment (Roberto Sassu) Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar --- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_api.c | 8 +++++--- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 5 +++-- security/integrity/ima/ima_template_lib.c | 5 ++--- 5 files changed, 13 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index e13ae5466bf2..c996f7edff3a 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -59,6 +59,7 @@ struct ima_event_data { const unsigned char *filename; struct evm_ima_xattr_data *xattr_value; int xattr_len; + const char *violation; }; /* IMA template field data definition */ @@ -110,6 +111,7 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data, struct ima_digest_data *hash); int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); void ima_add_violation(struct file *file, const unsigned char *filename, + struct integrity_iint_cache *iint, const char *op, const char *cause); int ima_init_crypto(void); void ima_putc(struct seq_file *m, void *data, int datalen); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 5865ea2a2777..1d950fbb2aec 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -126,11 +126,13 @@ int ima_store_template(struct ima_template_entry *entry, * value is invalidated. */ void ima_add_violation(struct file *file, const unsigned char *filename, + struct integrity_iint_cache *iint, const char *op, const char *cause) { struct ima_template_entry *entry; struct inode *inode = file_inode(file); - struct ima_event_data event_data = {NULL, file, filename, NULL, 0}; + struct ima_event_data event_data = {iint, file, filename, NULL, 0, + cause}; int violation = 1; int result; @@ -264,8 +266,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, int result = -ENOMEM; struct inode *inode = file_inode(file); struct ima_template_entry *entry; - struct ima_event_data event_data = {iint, file, filename, - xattr_value, xattr_len}; + struct ima_event_data event_data = {iint, file, filename, xattr_value, + xattr_len, NULL}; int violation = 0; if (iint->flags & IMA_MEASURED) diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 2c668370a438..e600cadd231c 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void) struct ima_template_entry *entry; struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, - NULL, 0}; + NULL, 0, NULL}; int result = -ENOMEM; int violation = 0; struct { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index eeee00dce729..c21f09bf8b99 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -106,9 +106,10 @@ static void ima_rdwr_violation_check(struct file *file, *pathname = ima_d_path(&file->f_path, pathbuf); if (send_tomtou) - ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU"); + ima_add_violation(file, *pathname, iint, + "invalid_pcr", "ToMToU"); if (send_writers) - ima_add_violation(file, *pathname, + ima_add_violation(file, *pathname, iint, "invalid_pcr", "open_writers"); } diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 67d513367aac..de0ce4fbdf69 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -209,7 +209,7 @@ int ima_eventdigest_init(struct ima_event_data *event_data, memset(&hash, 0, sizeof(hash)); - if (!event_data->iint) /* recording a violation. */ + if (event_data->violation) /* recording a violation. */ goto out; if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) { @@ -247,8 +247,7 @@ int ima_eventdigest_ng_init(struct ima_event_data *event_data, u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1; u32 cur_digestsize = 0; - /* If iint is NULL, we are recording a violation. */ - if (!event_data->iint) + if (event_data->violation) /* recording a violation. */ goto out; cur_digest = event_data->iint->ima_hash->digest; -- 2.20.1