Menu
▾
▴
[Linux-ima-user] [RFC][PATCH 1/4] ima: add template length to binary_runtime_measurements log
|
From: Mimi Z. <zo...@li...> - 2010-06-07 12:43:40
|
Adding the template length to the binary_runtime_measurement list,
simplifies userspace support for different template types.
This patch introduces the command line option 'ima_template='
for backward compatibility.
Signed-off-by: Mimi Zohar <zo...@us...>
---
Documentation/kernel-parameters.txt | 5 +++++
security/integrity/ima/ima.h | 3 +++
security/integrity/ima/ima_api.c | 6 +++++-
security/integrity/ima/ima_fs.c | 16 ++++++++++++++--
4 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 1808f11..009b6ab 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -988,6 +988,11 @@ and is between 256 and 4096 characters. It is defined in the file
programs exec'd, files mmap'd for exec, and all files
opened for read by uid=0.
+ ima_template= [IMA]
+ Support additional runtime measurement formats.
+ Format: { "ima" | "ima-ng" }
+ default: "ima"
+
in2000= [HW,SCSI]
See header of drivers/scsi/in2000.c.
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 16d100d..6a6c80c 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -24,6 +24,9 @@
#include <linux/tpm.h>
#include <linux/audit.h>
+enum ima_template_t { IMA_TEMPLATE, IMA_NG_TEMPLATE };
+extern int ima_template;
+
enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII };
enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 52015d0..3eb2f22 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -17,6 +17,7 @@
#include "ima.h"
static const char *IMA_TEMPLATE_NAME = "ima";
+static const char *IMA_NG_TEMPLATE_NAME = "ima-ng";
/*
* ima_store_template - store ima template measurements
@@ -42,7 +43,10 @@ int ima_store_template(struct ima_template_entry *entry,
int result;
memset(entry->digest, 0, sizeof(entry->digest));
- entry->template_name = IMA_TEMPLATE_NAME;
+ if (ima_template == IMA_NG_TEMPLATE)
+ entry->template_name = IMA_NG_TEMPLATE_NAME;
+ else
+ entry->template_name = IMA_TEMPLATE_NAME;
entry->template_len = sizeof(entry->template);
if (!violation) {
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 8fe736a..5221c83 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -25,6 +25,15 @@
#include "ima.h"
+int ima_template = IMA_NG_TEMPLATE;
+static int __init ima_template_setup(char *str)
+{
+ if (strncmp(str, "ima", 3) == 0)
+ ima_template = IMA_TEMPLATE;
+ return 1;
+}
+__setup("ima_template=", ima_template_setup);
+
static int valid_policy = 1;
#define TMPBUFLEN 12
static ssize_t ima_show_htable_value(char __user *buf, size_t count,
@@ -86,8 +95,7 @@ static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
* against concurrent list-extension
*/
rcu_read_lock();
- qe = list_entry_rcu(qe->later.next,
- struct ima_queue_entry, later);
+ qe = list_entry_rcu(qe->later.next, struct ima_queue_entry, later);
rcu_read_unlock();
(*pos)++;
@@ -109,6 +117,7 @@ static void ima_putc(struct seq_file *m, void *data, int datalen)
* char[20]=template digest
* 32bit-le=template name size
* char[n]=template name
+ * [eventdata length]
* eventdata[n]=template specific data
*/
static int ima_measurements_show(struct seq_file *m, void *v)
@@ -141,6 +150,9 @@ static int ima_measurements_show(struct seq_file *m, void *v)
/* 4th: template name */
ima_putc(m, (void *)e->template_name, namelen);
+ if (ima_template != IMA_TEMPLATE)
+ ima_putc(m, &e->template_len, sizeof e->template_len);
+
/* 5th: template specific data */
ima_template_show(m, (struct ima_template_data *)&e->template,
IMA_SHOW_BINARY);
--
1.6.6.1
|
