IMA: define a hook to measure kernel integrity critical data

author Tushar Sugandhi <tusharsu@linux.microsoft.com>

Fri, 8 Jan 2021 04:07:03 +0000 (20:07 -0800)

committer Mimi Zohar <zohar@linux.ibm.com>

Fri, 15 Jan 2021 04:41:26 +0000 (23:41 -0500)
author Tushar Sugandhi <tusharsu@linux.microsoft.com>
Fri, 8 Jan 2021 04:07:03 +0000 (20:07 -0800)
committer Mimi Zohar <zohar@linux.ibm.com>
Fri, 15 Jan 2021 04:41:26 +0000 (23:41 -0500)
diff --git a/include/linux/ima.h b/include/linux/ima.h

index 7db9cca1af34fef18074189324418e38ea1c81dd..59bd90ac3c35c04fedcf098cbc6e2af71b097a1e 100644 (file)
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -31,6 +31,9 @@ extern void ima_post_path_mknod(struct dentry *dentry);
  extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);
  extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size);
  extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);
+extern void ima_measure_critical_data(const char *event_name,
+                                     const void *buf, size_t buf_len,
+                                     bool hash);
  
  #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
  extern void ima_appraise_parse_cmdline(void);
@@ -128,6 +131,10 @@ static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size
  }
  
  static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {}
+
+static inline void ima_measure_critical_data(const char *event_name,
+                                            const void *buf, size_t buf_len,
+                                            bool hash) {}
  #endif /* CONFIG_IMA */
  
  #ifndef CONFIG_IMA_KEXEC
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h

index 0b463451583943e1a63e58b859a65f0e36b69a91..aa312472c7c5382d907942683855a53a33d2597e 100644 (file)
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -201,6 +201,7 @@ static inline unsigned int ima_hash_key(u8 *digest)
         hook(POLICY_CHECK, policy)                      \
         hook(KEXEC_CMDLINE, kexec_cmdline)              \
         hook(KEY_CHECK, key)                            \
+       hook(CRITICAL_DATA, critical_data)              \
         hook(MAX_CHECK, none)
  
  #define __ima_hook_enumify(ENUM, str)  ENUM,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c

index e76499b1ce78877bf3a33a4012ca48e155186984..1dd70dc68ffdea5c3da7a97d862342811aa6e335 100644 (file)
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -176,7 +176,7 @@ err_out:
   *             subj=, obj=, type=, func=, mask=, fsmagic=
   *     subj,obj, and type: are LSM specific.
   *     func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
- *     | KEXEC_CMDLINE | KEY_CHECK
+ *     | KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA
   *     mask: contains the permission mask
   *     fsmagic: hex value
   *
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c

index 250e52114230c3ccc4cbb3553a5d63fcb6d8cb71..251e7b4006f4b897941d713e06020f88ce4f367f 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -943,6 +943,30 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
         fdput(f);
  }
  
+/**
+ * ima_measure_critical_data - measure kernel integrity critical data
+ * @event_name: event name for the record in the IMA measurement list
+ * @buf: pointer to buffer data
+ * @buf_len: length of buffer data (in bytes)
+ * @hash: measure buffer data hash
+ *
+ * Measure data critical to the integrity of the kernel into the IMA log
+ * and extend the pcr.  Examples of critical data could be various data
+ * structures, policies, and states stored in kernel memory that can
+ * impact the integrity of the system.
+ */
+void ima_measure_critical_data(const char *event_name,
+                              const void *buf, size_t buf_len,
+                              bool hash)
+{
+       if (!event_name || !buf || !buf_len)
+               return;
+
+       process_buffer_measurement(NULL, buf, buf_len, event_name,
+                                  CRITICAL_DATA, 0, NULL,
+                                  hash);
+}
+
  static int __init init_ima(void)
  {
         int error;
author	Tushar Sugandhi <tusharsu@linux.microsoft.com>
	Fri, 8 Jan 2021 04:07:03 +0000 (20:07 -0800)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Fri, 15 Jan 2021 04:41:26 +0000 (23:41 -0500)
include/linux/ima.h		patch \| blob \| history
security/integrity/ima/ima.h		patch \| blob \| history
security/integrity/ima/ima_api.c		patch \| blob \| history
security/integrity/ima/ima_main.c		patch \| blob \| history