Message ID | 20210723085304.1760138-2-roberto.sassu@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ima: Provide more info about buffer measurement | expand |
On Fri, 2021-07-23 at 10:53 +0200, Roberto Sassu wrote: > Buffer measurements, unlike file measurements, are not accessible after the > measurement is done, as buffers are not suitable for use with the > integrity_iint_cache structure (there is no index, for files it is the > inode number). In the subsequent patches, the measurement (digest) will be > returned directly by the functions that perform the buffer measurement, > ima_measure_critical_data() and process_buffer_measurement(). > > A caller of those functions also needs to know the algorithm used to > calculate the digest. Instead of adding the algorithm as a new parameter to > the functions, this patch provides it separately with the new function > ima_get_current_hash_algo(). > > Since the hash algorithm does not change after the IMA setup phase, there > is no risk of races (obtaining a digest calculated with a different > algorithm than the one returned). Perfect explaination for annotating ima_hash_algo like: int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1; Assuming you don't object, I'll include this change in this patch. thanks, Mimi > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> From: Mimi Zohar [mailto:zohar@linux.ibm.com] > Sent: Friday, July 23, 2021 2:49 PM > On Fri, 2021-07-23 at 10:53 +0200, Roberto Sassu wrote: > > Buffer measurements, unlike file measurements, are not accessible after the > > measurement is done, as buffers are not suitable for use with the > > integrity_iint_cache structure (there is no index, for files it is the > > inode number). In the subsequent patches, the measurement (digest) will be > > returned directly by the functions that perform the buffer measurement, > > ima_measure_critical_data() and process_buffer_measurement(). > > > > A caller of those functions also needs to know the algorithm used to > > calculate the digest. Instead of adding the algorithm as a new parameter to > > the functions, this patch provides it separately with the new function > > ima_get_current_hash_algo(). > > > > Since the hash algorithm does not change after the IMA setup phase, there > > is no risk of races (obtaining a digest calculated with a different > > algorithm than the one returned). > > Perfect explaination for annotating ima_hash_algo like: > > int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1; > > Assuming you don't object, I'll include this change in this patch. Sure, thanks. Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli > thanks, > > Mimi > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
diff --git a/include/linux/ima.h b/include/linux/ima.h index 61d5723ec303..81e830d01ced 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -11,9 +11,11 @@ #include <linux/fs.h> #include <linux/security.h> #include <linux/kexec.h> +#include <crypto/hash_info.h> struct linux_binprm; #ifdef CONFIG_IMA +extern enum hash_algo ima_get_current_hash_algo(void); extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, @@ -64,6 +66,11 @@ static inline const char * const *arch_get_ima_policy(void) #endif #else +static inline enum hash_algo ima_get_current_hash_algo(void) +{ + return HASH_ALGO__LAST; +} + static inline int ima_bprm_check(struct linux_binprm *bprm) { return 0; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 287b90509006..8ef1fa357e0c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -76,6 +76,11 @@ static int __init hash_setup(char *str) } __setup("ima_hash=", hash_setup); +enum hash_algo ima_get_current_hash_algo(void) +{ + return ima_hash_algo; +} + /* Prevent mmap'ing a file execute that is already mmap'ed write */ static int mmap_violation_check(enum ima_hooks func, struct file *file, char **pathbuf, const char **pathname,