@@ -28,6 +28,7 @@ Description:
base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
[FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
+ [KEXEC_CMDLINE_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
fsmagic:= hex value
@@ -14,6 +14,7 @@
struct linux_binprm;
enum ima_buffer_id {
+ MEASURING_KEXEC_CMDLINE,
MEASURING_MAX_BUFFER_ID
};
@@ -19,6 +19,7 @@
#include <linux/mutex.h>
#include <linux/list.h>
#include <linux/fs.h>
+#include <linux/ima.h>
#include <crypto/hash.h>
#include <crypto/sha.h>
#include <linux/syscalls.h>
@@ -178,6 +179,9 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
ret = -EINVAL;
goto out;
}
+
+ ima_buffer_check(image->cmdline_buf, cmdline_len - 1,
+ MEASURING_KEXEC_CMDLINE);
}
/* Call arch image load handlers */
@@ -150,6 +150,7 @@ enum ima_hooks {
FIRMWARE_CHECK,
KEXEC_KERNEL_CHECK,
KEXEC_INITRAMFS_CHECK,
+ KEXEC_CMDLINE_CHECK,
POLICY_CHECK,
MAX_CHECK
};
@@ -20,6 +20,8 @@ struct buffer_idmap {
};
static struct buffer_idmap _idmap[MEASURING_MAX_BUFFER_ID] = {
+ [MEASURING_KEXEC_CMDLINE].func = KEXEC_CMDLINE_CHECK,
+ [MEASURING_KEXEC_CMDLINE].buf = "boot-cmdline",
};
static void process_buffer_measurement(void *buf, loff_t size,
@@ -663,6 +663,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK")
== 0)
entry->func = KEXEC_INITRAMFS_CHECK;
+ else if (strcmp(args[0].from, "KEXEC_CMDLINE_CHECK")
+ == 0)
+ entry->func = KEXEC_CMDLINE_CHECK;
else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
entry->func = POLICY_CHECK;
else
@@ -926,7 +929,7 @@ enum {
func_file = 0, func_mmap, func_bprm,
func_module, func_firmware, func_post,
func_kexec_kernel, func_kexec_initramfs,
- func_policy
+ func_kexec_cmdline, func_policy
};
static char *func_tokens[] = {
@@ -938,6 +941,7 @@ static char *func_tokens[] = {
"POST_SETATTR",
"KEXEC_KERNEL_CHECK",
"KEXEC_INITRAMFS_CHECK",
+ "KEXEC_CMDLINE_CHECK",
"POLICY_CHECK"
};
@@ -1009,6 +1013,9 @@ static void policy_func_show(struct seq_file *m, enum ima_hooks func)
case KEXEC_INITRAMFS_CHECK:
seq_printf(m, pt(Opt_func), ft(func_kexec_initramfs));
break;
+ case KEXEC_CMDLINE_CHECK:
+ seq_printf(m, pt(Opt_func), ft(func_kexec_cmdline));
+ break;
case POLICY_CHECK:
seq_printf(m, pt(Opt_func), ft(func_policy));
break;
This patch defines the buffer identifier "KEXEC_CMDLINE_CHECK" for measuring the boot command line. eg: echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> --- Documentation/ABI/testing/ima_policy | 1 + include/linux/ima.h | 1 + kernel/kexec_file.c | 4 ++++ security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_buffer.c | 2 ++ security/integrity/ima/ima_policy.c | 9 ++++++++- 6 files changed, 17 insertions(+), 1 deletion(-)