Message ID | 20171109024914.140203-1-wangboshi@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Thu, 2017-11-09 at 10:49 +0800, Boshi Wang wrote: > Currently IMA can store digests, filenames and signatures. But there may > be different files which owns the same filename due to multiple mount > namespaces, e.g. in the container environment. To distingush them, we > introduce a new templete which contains a namespace field. The namespace > field stores the mount namespace number. A similar patch was previously posted by Guilherme Magalhaes. As discussed then, the namespace information should really not be included in the IMA measurement list, but as messages produced by ima_audit_measurement(). Guilherme posted a patch that adds the namespace info to the audit record. Mimi > Signed-off-by: Boshi Wang <wangboshi@huawei.com> > --- > security/integrity/ima/ima_template.c | 3 +++ > security/integrity/ima/ima_template_lib.c | 29 ++++++++++++++++++++++++++++- > security/integrity/ima/ima_template_lib.h | 4 ++++ > 3 files changed, 35 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c > index 7412d02..dd29d4e 100644 > --- a/security/integrity/ima/ima_template.c > +++ b/security/integrity/ima/ima_template.c > @@ -26,6 +26,7 @@ static struct ima_template_desc builtin_templates[] = { > {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, > {.name = "ima-ng", .fmt = "d-ng|n-ng"}, > {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, > + {.name = "ima-ns", .fmt = "d-ng|n-ng|ns"}, > {.name = "", .fmt = ""}, /* placeholder for a custom format */ > }; > > @@ -43,6 +44,8 @@ static struct ima_template_field supported_fields[] = { > .field_show = ima_show_template_string}, > {.field_id = "sig", .field_init = ima_eventsig_init, > .field_show = ima_show_template_sig}, > + {.field_id = "ns", .field_init = ima_eventns_init, > + .field_show = ima_show_template_ns}, > }; > #define MAX_TEMPLATE_NAME_LEN 15 > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > index 28af43f..e0eb67d 100644 > --- a/security/integrity/ima/ima_template_lib.c > +++ b/security/integrity/ima/ima_template_lib.c > @@ -13,6 +13,8 @@ > * Library of supported template fields. > */ > > +#include <linux/atomic.h> > +#include <linux/proc_ns.h> > #include "ima_template_lib.h" > > static bool ima_template_hash_algo_allowed(u8 algo) > @@ -27,7 +29,8 @@ enum data_formats { > DATA_FMT_DIGEST = 0, > DATA_FMT_DIGEST_WITH_ALGO, > DATA_FMT_STRING, > - DATA_FMT_HEX > + DATA_FMT_HEX, > + DATA_FMT_UINT > }; > > static int ima_write_template_field_data(const void *data, const u32 datalen, > @@ -90,6 +93,9 @@ static void ima_show_template_data_ascii(struct seq_file *m, > case DATA_FMT_STRING: > seq_printf(m, "%s", buf_ptr); > break; > + case DATA_FMT_UINT: > + seq_printf(m, "%u", *(unsigned int *)buf_ptr); > + break; > default: > break; > } > @@ -159,6 +165,12 @@ void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, > ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); > } > > +void ima_show_template_ns(struct seq_file *m, enum ima_show_type show, > + struct ima_field_data *field_data) > +{ > + ima_show_template_field_data(m, show, DATA_FMT_UINT, field_data); > +} > + > /** > * ima_parse_buf() - Parses lengths and data from an input buffer > * @bufstartp: Buffer start address. > @@ -391,3 +403,18 @@ int ima_eventsig_init(struct ima_event_data *event_data, > out: > return rc; > } > + > +int ima_eventns_init(struct ima_event_data *event_data, > + struct ima_field_data *field_data) > +{ > + struct ns_common *ns; > + unsigned int ns_id; > + > + ns = mntns_operations.get(current); > + if (ns == NULL) > + return -ENOENT; > + ns_id = ns->inum; > + mntns_operations.put(ns); > + return ima_write_template_field_data(&ns_id, sizeof(ns_id), > + DATA_FMT_UINT, field_data); > +} > diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h > index 6a3d8b8..9ca9059 100644 > --- a/security/integrity/ima/ima_template_lib.h > +++ b/security/integrity/ima/ima_template_lib.h > @@ -29,6 +29,8 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show, > struct ima_field_data *field_data); > void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, > struct ima_field_data *field_data); > +void ima_show_template_ns(struct seq_file *m, enum ima_show_type show, > + struct ima_field_data *field_data); > int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp, > int maxfields, struct ima_field_data *fields, int *curfields, > unsigned long *len_mask, int enforce_mask, char *bufname); > @@ -42,4 +44,6 @@ int ima_eventname_ng_init(struct ima_event_data *event_data, > struct ima_field_data *field_data); > int ima_eventsig_init(struct ima_event_data *event_data, > struct ima_field_data *field_data); > +int ima_eventns_init(struct ima_event_data *event_data, > + struct ima_field_data *field_data); > #endif /* __LINUX_IMA_TEMPLATE_LIB_H */
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index 7412d02..dd29d4e 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -26,6 +26,7 @@ static struct ima_template_desc builtin_templates[] = { {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, {.name = "ima-ng", .fmt = "d-ng|n-ng"}, {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, + {.name = "ima-ns", .fmt = "d-ng|n-ng|ns"}, {.name = "", .fmt = ""}, /* placeholder for a custom format */ }; @@ -43,6 +44,8 @@ static struct ima_template_field supported_fields[] = { .field_show = ima_show_template_string}, {.field_id = "sig", .field_init = ima_eventsig_init, .field_show = ima_show_template_sig}, + {.field_id = "ns", .field_init = ima_eventns_init, + .field_show = ima_show_template_ns}, }; #define MAX_TEMPLATE_NAME_LEN 15 diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 28af43f..e0eb67d 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -13,6 +13,8 @@ * Library of supported template fields. */ +#include <linux/atomic.h> +#include <linux/proc_ns.h> #include "ima_template_lib.h" static bool ima_template_hash_algo_allowed(u8 algo) @@ -27,7 +29,8 @@ enum data_formats { DATA_FMT_DIGEST = 0, DATA_FMT_DIGEST_WITH_ALGO, DATA_FMT_STRING, - DATA_FMT_HEX + DATA_FMT_HEX, + DATA_FMT_UINT }; static int ima_write_template_field_data(const void *data, const u32 datalen, @@ -90,6 +93,9 @@ static void ima_show_template_data_ascii(struct seq_file *m, case DATA_FMT_STRING: seq_printf(m, "%s", buf_ptr); break; + case DATA_FMT_UINT: + seq_printf(m, "%u", *(unsigned int *)buf_ptr); + break; default: break; } @@ -159,6 +165,12 @@ void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); } +void ima_show_template_ns(struct seq_file *m, enum ima_show_type show, + struct ima_field_data *field_data) +{ + ima_show_template_field_data(m, show, DATA_FMT_UINT, field_data); +} + /** * ima_parse_buf() - Parses lengths and data from an input buffer * @bufstartp: Buffer start address. @@ -391,3 +403,18 @@ int ima_eventsig_init(struct ima_event_data *event_data, out: return rc; } + +int ima_eventns_init(struct ima_event_data *event_data, + struct ima_field_data *field_data) +{ + struct ns_common *ns; + unsigned int ns_id; + + ns = mntns_operations.get(current); + if (ns == NULL) + return -ENOENT; + ns_id = ns->inum; + mntns_operations.put(ns); + return ima_write_template_field_data(&ns_id, sizeof(ns_id), + DATA_FMT_UINT, field_data); +} diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h index 6a3d8b8..9ca9059 100644 --- a/security/integrity/ima/ima_template_lib.h +++ b/security/integrity/ima/ima_template_lib.h @@ -29,6 +29,8 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); +void ima_show_template_ns(struct seq_file *m, enum ima_show_type show, + struct ima_field_data *field_data); int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp, int maxfields, struct ima_field_data *fields, int *curfields, unsigned long *len_mask, int enforce_mask, char *bufname); @@ -42,4 +44,6 @@ int ima_eventname_ng_init(struct ima_event_data *event_data, struct ima_field_data *field_data); int ima_eventsig_init(struct ima_event_data *event_data, struct ima_field_data *field_data); +int ima_eventns_init(struct ima_event_data *event_data, + struct ima_field_data *field_data); #endif /* __LINUX_IMA_TEMPLATE_LIB_H */
Currently IMA can store digests, filenames and signatures. But there may be different files which owns the same filename due to multiple mount namespaces, e.g. in the container environment. To distingush them, we introduce a new templete which contains a namespace field. The namespace field stores the mount namespace number. Signed-off-by: Boshi Wang <wangboshi@huawei.com> --- security/integrity/ima/ima_template.c | 3 +++ security/integrity/ima/ima_template_lib.c | 29 ++++++++++++++++++++++++++++- security/integrity/ima/ima_template_lib.h | 4 ++++ 3 files changed, 35 insertions(+), 1 deletion(-)