summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorTushar Sugandhi <tusharsu@linux.microsoft.com>2021-01-08 05:07:04 +0100
committerMimi Zohar <zohar@linux.ibm.com>2021-01-15 05:41:29 +0100
commitc4e43aa2eeb0cffcf0b17e0a60a9d212de9c49df (patch)
treeff7e0d487666f7f58650353636f6bc0fc75098c8 /security
parentIMA: define a hook to measure kernel integrity critical data (diff)
downloadlinux-c4e43aa2eeb0cffcf0b17e0a60a9d212de9c49df.tar.xz
linux-c4e43aa2eeb0cffcf0b17e0a60a9d212de9c49df.zip
IMA: add policy rule to measure critical data
A new IMA policy rule is needed for the IMA hook ima_measure_critical_data() and the corresponding func CRITICAL_DATA for measuring the input buffer. The policy rule should ensure the buffer would get measured only when the policy rule allows the action. The policy rule should also support the necessary constraints (flags etc.) for integrity critical buffer data measurements. Add policy rule support for measuring integrity critical data. Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_policy.c29
1 files changed, 25 insertions, 4 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index b93966034368..96ba4273c4d0 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -478,6 +478,8 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
opt_list = rule->keyrings;
break;
+ case CRITICAL_DATA:
+ return true;
default:
return false;
}
@@ -514,13 +516,19 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
{
int i;
- if (func == KEY_CHECK) {
- return (rule->flags & IMA_FUNC) && (rule->func == func) &&
- ima_match_rule_data(rule, func_data, cred);
- }
if ((rule->flags & IMA_FUNC) &&
(rule->func != func && func != POST_SETATTR))
return false;
+
+ switch (func) {
+ case KEY_CHECK:
+ case CRITICAL_DATA:
+ return ((rule->func == func) &&
+ ima_match_rule_data(rule, func_data, cred));
+ default:
+ break;
+ }
+
if ((rule->flags & IMA_MASK) &&
(rule->mask != mask && func != POST_SETATTR))
return false;
@@ -1116,6 +1124,17 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
return false;
break;
+ case CRITICAL_DATA:
+ if (entry->action & ~(MEASURE | DONT_MEASURE))
+ return false;
+
+ if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR))
+ return false;
+
+ if (ima_rule_contains_lsm_cond(entry))
+ return false;
+
+ break;
default:
return false;
}
@@ -1247,6 +1266,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
strcmp(args[0].from, "KEY_CHECK") == 0)
entry->func = KEY_CHECK;
+ else if (strcmp(args[0].from, "CRITICAL_DATA") == 0)
+ entry->func = CRITICAL_DATA;
else
result = -EINVAL;
if (!result)