| Message ID | 20200107194350.3782-3-nramas@linux.microsoft.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | KEYS: Measure keys when they are created or updated | expand |
On Tue, 2020-01-07 at 11:43 -0800, Lakshmi Ramasubramanian wrote: > Call the IMA hook from key_create_or_update() function to measure > the payload when a new key is created or an existing key is updated. > > This patch adds the call to the IMA hook from key_create_or_update() > function to measure the key on key create or update. > > Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> > Cc: David Howells <dhowells@redhat.com> > Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > Reported-by: kbuild test robot <lkp@intel.com> # ima_asymmetric_keys.c > is built as a kernel module when it is actually not. > Fixes: cb1aa3823c92 ("KEYS: Call the IMA hook to measure keys") There are two ways of addressing a bug report. One is by fixing the original patch, while the other addresses the bug as a separate patch. If the fix is squashed into the original patch, the commit number will change. Only if the fix is a separate patch, would you include the "Fixes" tag. Mimi
diff --git a/include/linux/ima.h b/include/linux/ima.h index 6d904754d858..f4644c54f648 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -101,6 +101,20 @@ static inline void ima_add_kexec_buffer(struct kimage *image) {} #endif +#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS +extern void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + const void *payload, size_t plen, + unsigned long flags, bool create); +#else +static inline void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + const void *payload, + size_t plen, + unsigned long flags, + bool create) {} +#endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct dentry *dentry); diff --git a/security/keys/key.c b/security/keys/key.c index 764f4c57913e..718bf7217420 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -13,6 +13,7 @@ #include <linux/security.h> #include <linux/workqueue.h> #include <linux/random.h> +#include <linux/ima.h> #include <linux/err.h> #include "internal.h" @@ -936,6 +937,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, goto error_link_end; } + ima_post_key_create_or_update(keyring, key, payload, plen, + flags, true); + key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); error_link_end: @@ -965,6 +969,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } key_ref = __key_update(key_ref, &prep); + + if (!IS_ERR(key_ref)) + ima_post_key_create_or_update(keyring, key, + payload, plen, + flags, false); + goto error_free_prep; } EXPORT_SYMBOL(key_create_or_update);
Call the IMA hook from key_create_or_update() function to measure the payload when a new key is created or an existing key is updated. This patch adds the call to the IMA hook from key_create_or_update() function to measure the key on key create or update. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Cc: David Howells <dhowells@redhat.com> Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reported-by: kbuild test robot <lkp@intel.com> # ima_asymmetric_keys.c is built as a kernel module when it is actually not. Fixes: cb1aa3823c92 ("KEYS: Call the IMA hook to measure keys") --- include/linux/ima.h | 14 ++++++++++++++ security/keys/key.c | 10 ++++++++++ 2 files changed, 24 insertions(+)