@@ -213,6 +213,7 @@ void __init integrity_load_keys(void)
{
ima_load_x509();
evm_load_x509();
+ ima_load_parser_digest_list();
}
static int __init integrity_fs_init(void)
@@ -307,3 +307,18 @@ config IMA_DIGEST_LIST
of accessed files are found in one of those lists, no new entries are
added to the measurement list, and access to the file is granted if
appraisal is in enforcing mode.
+
+config IMA_PARSER_DIGEST_LIST_PATH
+ string "Path of the parser digest list"
+ depends on IMA_DIGEST_LIST
+ default "/etc/ima/digest_lists/compact-upload_digest_lists"
+ help
+ This option defines the path of the digest list containing the
+ digest of the parser.
+
+config IMA_PARSER_BINARY_PATH
+ string "Path of the parser binary"
+ depends on IMA_DIGEST_LIST
+ default "/usr/bin/upload_digest_lists"
+ help
+ This option defines the path of the parser binary.
@@ -240,3 +240,45 @@ struct ima_digest *ima_digest_allow(struct ima_digest *digest, int action)
return digest;
}
+
+/********************
+ * Parser execution *
+ ********************/
+static void ima_exec_parser(void)
+{
+ char *argv[2] = {NULL}, *envp[1] = {NULL};
+
+ argv[0] = (char *)CONFIG_IMA_PARSER_BINARY_PATH;
+ call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
+}
+
+void __init ima_load_parser_digest_list(void)
+{
+ void *datap;
+ loff_t size;
+ int ret;
+
+ if (!(ima_digest_list_actions & ima_policy_flag))
+ return;
+
+ ima_set_parser(current);
+ ret = kernel_read_file_from_path(CONFIG_IMA_PARSER_DIGEST_LIST_PATH,
+ &datap, &size, 0, READING_DIGEST_LIST);
+ ima_set_parser(NULL);
+
+ if (ret < 0) {
+ if (ret != -ENOENT)
+ pr_err("Unable to open file: %s (%d)",
+ CONFIG_IMA_PARSER_DIGEST_LIST_PATH, ret);
+ return;
+ }
+
+ ret = ima_parse_compact_list(size, datap);
+
+ vfree(datap);
+
+ if (ret < 0)
+ return;
+
+ ima_exec_parser();
+}
@@ -213,6 +213,14 @@ static inline void evm_load_x509(void)
}
#endif
+#ifdef CONFIG_IMA_DIGEST_LIST
+void __init ima_load_parser_digest_list(void);
+#else
+static inline void ima_load_parser_digest_list(void)
+{
+}
+#endif
+
#ifdef CONFIG_INTEGRITY_AUDIT
/* declarations */
void integrity_audit_msg(int audit_msgno, struct inode *inode,
Digest lists should be uploaded to IMA as soon as possible, otherwise file digests would appear in the measurement list or access would be denied if appraisal is in enforcing mode. This patch adds a call to ima_load_parser_digest_list() in integrity_load_keys(), so that the function is executed when rootfs becomes available, before the init process is executed. ima_load_parser_digest_list() loads a compact list containing the digests of the parser and the shared libraries. This list is measured and appraised depending on the current IMA policy. Then, the function executes the parser executable with the User-Mode-Helper (UMH). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/integrity/iint.c | 1 + security/integrity/ima/Kconfig | 15 +++++++++ security/integrity/ima/ima_digest_list.c | 42 ++++++++++++++++++++++++ security/integrity/integrity.h | 8 +++++ 4 files changed, 66 insertions(+)