Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1245488ybi; Fri, 14 Jun 2019 11:04:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQ7evx8XdUqO4Js/fs9UsQ/+LP+YElJY2+6vtM/Y8s8XTdRfPMxH/uwJRYmeOo9Hhpq0mM X-Received: by 2002:a17:90a:d58d:: with SMTP id v13mr12362550pju.1.1560535482763; Fri, 14 Jun 2019 11:04:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560535482; cv=none; d=google.com; s=arc-20160816; b=xn79HiBetg/bu6ZWukbVvxTtuQTNZ45dROpphMWOl2jgkzZhMv0E9iRrKk2WEIj9uF 0pfAG+kCyqp23D7POmK0d+deS6ScOWQXpgeex0lm/+RH2V4St6ERZpDu4A2ZRpJ1mIZy OQQz9hxoGcIqYHUUjpsY60aFvVCnaLCB1Y4e9UOrkkkk1jAP7DmRrPHjL3qSeDZQjiQ9 zuiwf0syRJYcgGKn4wMnCKL8Y3xsLM4RRdsnDDHL5b1wUx4E5Nr78HByG0l8pFyfIODp yZTd/s0RNRxt32U9Lkln04o0v1+WuUOHHcjg1VQNy6Z0UqEAI+/2wSBOuhnWABp3f7++ xnLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=IyHiD1g2eR7NjQIZH1zfZlhACLJ+cWEskgkb2V3OiKM=; b=OZf/d9L/jNG+pYeqjYUaYB345MfTHSHC4nt3IG75E7vhzaJgR1wnQdbRBSydZJA4+r 92BsFuWf/xHdSHN4+J4vhDYFJW56luysbTtEyE9yIJgk/h3K/QA1O4cF8YFL+aRxCP4+ YueCmiQ0lTwliXTfrQzboYrwuVP7yIoxEOoePdYV+GXd7ZMwJZLY1xv+6y5H0HbJVeoS ttaShj5kDiaRXUTaSNYz3F/rrplNMfxXh+NvB+ONYWUcbgdtcLpiXcq+hbreva1PhV3r Wge+y8eQdeEUgK4glWpewy/sf2JsFA9xrNRw+9Qy2Bo5NWZoJvfl8VEMOh3y/ngzKiYG a0Yg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t8si3138215pgn.112.2019.06.14.11.04.27; Fri, 14 Jun 2019 11:04:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727517AbfFNSEM (ORCPT + 99 others); Fri, 14 Jun 2019 14:04:12 -0400 Received: from lhrrgout.huawei.com ([185.176.76.210]:33017 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726305AbfFNSEL (ORCPT ); Fri, 14 Jun 2019 14:04:11 -0400 Received: from lhreml702-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id EADD767C6981C0E7D81F; Fri, 14 Jun 2019 19:04:09 +0100 (IST) Received: from roberto-HP-EliteDesk-800-G2-DM-65W.huawei.com (10.204.65.154) by smtpsuk.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 14 Jun 2019 19:03:59 +0100 From: Roberto Sassu To: , , CC: , , , , , , Roberto Sassu Subject: [PATCH v4 09/14] ima: introduce new securityfs files Date: Fri, 14 Jun 2019 19:55:08 +0200 Message-ID: <20190614175513.27097-10-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190614175513.27097-1-roberto.sassu@huawei.com> References: <20190614175513.27097-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.204.65.154] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch introduces two new files in the securityfs filesystem: digest_list_data, loads a digest list from the specified path, if it is in the compact format, or loads a digest list converted by the user space parser; digests_count: shows the number of digests stored in the ima_digests_htable hash table. Signed-off-by: Roberto Sassu --- include/linux/fs.h | 1 + security/integrity/ima/ima_fs.c | 44 ++++++++++++++++++++++++++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index f7fdfe93e25d..0591a3c3cc2f 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2921,6 +2921,7 @@ extern int do_pipe_flags(int *, int); id(KEXEC_INITRAMFS, kexec-initramfs) \ id(POLICY, security-policy) \ id(X509_CERTIFICATE, x509-certificate) \ + id(DIGEST_LIST, digest-list) \ id(MAX_ID, ) #define __fid_enumify(ENUM, dummy) READING_ ## ENUM, diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0f503b7cd396..b02b9a447d56 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -24,6 +24,7 @@ #include #include "ima.h" +#include "ima_digest_list.h" static DEFINE_MUTEX(ima_write_mutex); @@ -34,6 +35,8 @@ static struct dentry *ascii_runtime_measurements; static struct dentry *runtime_measurements_count; static struct dentry *violations; static struct dentry *ima_policy; +static struct dentry *digests_count; +static struct dentry *digest_list_data; bool ima_canonical_fmt; static int __init default_canonical_fmt_setup(char *str) @@ -58,6 +61,10 @@ static ssize_t ima_show_htable_value(struct file *filp, char __user *buf, val = &ima_htable.violations; else if (filp->f_path.dentry == runtime_measurements_count) val = &ima_htable.len; +#ifdef CONFIG_IMA_DIGEST_LIST + else if (filp->f_path.dentry == digests_count) + val = &ima_digests_htable.len; +#endif len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val)); return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); @@ -296,6 +303,9 @@ static ssize_t ima_read_file(char *path, enum kernel_read_file_id file_id) pr_debug("rule: %s\n", p); rc = ima_parse_add_rule(p); break; + case READING_DIGEST_LIST: + rc = ima_parse_compact_list(size, data); + break; default: break; } @@ -319,6 +329,10 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, char *data; ssize_t result; struct dentry *dentry = file_dentry(file); + enum kernel_read_file_id id = READING_POLICY; + + if (dentry == digest_list_data) + id = READING_DIGEST_LIST; /* No partial writes. */ result = -EINVAL; @@ -345,7 +359,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, goto out_free; if (data[0] == '/') { - result = ima_read_file(data, READING_POLICY); + result = ima_read_file(data, id); } else if (dentry == ima_policy) { if (ima_appraise & IMA_APPRAISE_POLICY) { pr_err("signed policy file (specified as an absolute pathname) required\n"); @@ -357,6 +371,11 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, } else { result = ima_parse_add_rule(data); } + } else if (dentry == digest_list_data) { + if (ima_check_current_is_parser()) + result = ima_parse_compact_list(datalen, data); + else + result = -EACCES; } else { pr_err("Unknown data type\n"); result = -EINVAL; @@ -373,6 +392,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, enum ima_fs_flags { IMA_POLICY_BUSY, + IMA_DIGEST_LIST_DATA_BUSY, IMA_FS_BUSY, }; @@ -382,6 +402,8 @@ static enum ima_fs_flags ima_get_dentry_flag(struct dentry *dentry) if (dentry == ima_policy) flag = IMA_POLICY_BUSY; + else if (dentry == digest_list_data) + flag = IMA_DIGEST_LIST_DATA_BUSY; return flag; } @@ -412,6 +434,8 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp) read_allowed = true; seq_ops = &ima_policy_seqops; #endif + } else if (dentry == digest_list_data) { + ima_set_parser(current); } if (!(filp->f_flags & O_WRONLY)) { @@ -444,6 +468,9 @@ static int ima_release_data_upload(struct inode *inode, struct file *file) if ((file->f_flags & O_ACCMODE) == O_RDONLY) return seq_release(inode, file); + if (dentry == digest_list_data) + ima_set_parser(NULL); + if (dentry != ima_policy) { clear_bit(flag, &ima_fs_flags); return 0; @@ -529,8 +556,23 @@ int __init ima_fs_init(void) if (IS_ERR(ima_policy)) goto out; +#ifdef CONFIG_IMA_DIGEST_LIST + digests_count = securityfs_create_file("digests_count", + S_IRUSR | S_IRGRP, ima_dir, + NULL, &ima_htable_value_ops); + if (IS_ERR(digests_count)) + goto out; + + digest_list_data = securityfs_create_file("digest_list_data", S_IWUSR, + ima_dir, NULL, + &ima_data_upload_ops); + if (IS_ERR(digest_list_data)) + goto out; +#endif return 0; out: + securityfs_remove(digest_list_data); + securityfs_remove(digests_count); securityfs_remove(violations); securityfs_remove(runtime_measurements_count); securityfs_remove(ascii_runtime_measurements); -- 2.17.1