[Linux-ima-user] [RFC][PATCH 4/4] ima: add LSM labels to the ima-nglong template

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

There are a variety of criteria that can be used to determine if a
file must be measured or not. A useful feature of recent versions
of IMA is the ability of making measurement decisions based on the
label assigned by a "Mandatory Access Control" to a process, which
is accessing a file, or based on the object LSM label itself.  In
general this data, i.e. LSM subject/object labels, can be used during
the "Remote Attestation" by a verifier to better evaluate if a trust
relationship should be established with the remote peer.

This patch adds LSM object/subject labels to the ima-nglong template,
used in remote attestation.

Signed-off-by: Roberto Sassu <rob...@po...>
Signed-off-by: Mimi Zohar <zo...@us...>
---
 security/integrity/ima/ima.h       |    4 +-
 security/integrity/ima/ima_api.c   |   80 +++++++++++++++++++++++++++++-------
 security/integrity/ima/ima_fs.c    |   36 ++++++++++++----
 security/integrity/ima/ima_queue.c |    5 ++-
 4 files changed, 100 insertions(+), 25 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 4be13fa..26c830e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -86,7 +86,9 @@ extern void ima_ng_get_offsets(struct ima_template_entry *entry,
 			       unsigned short *o_digest,
 			       unsigned short *o_filename,
 			       unsigned short *o_uid,
-			       unsigned short *o_gid);
+			       unsigned short *o_gid,
+			       u32 *o_obj_lsm_label_len,
+			       u32 *o_subj_lsm_label_len);
 extern struct ima_template_entry *ima_ng_alloc_init_entry(struct inode *inode,
 							  const unsigned char
 							  *filename,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index b3fd469..cb67f21 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -1,5 +1,7 @@
 /*
- * Copyright (C) 2008 IBM Corporation
+ * Copyright (C) 2008 - 2010 IBM Corporation
+ * Copyright (C) 2010 Politecnico di Torino, Italy,
+ * 	Roberto Sassu <rob...@po...>
  *
  * Author: Mimi Zohar <zo...@us...>
  *
@@ -176,17 +178,27 @@ out:
 
 void ima_ng_get_offsets(struct ima_template_entry *entry,
 			unsigned short *o_digest, unsigned short *o_filename,
-			unsigned short *o_uid, unsigned short *o_gid)
+			unsigned short *o_uid, unsigned short *o_gid,
+			u32 *o_obj_label_len, u32 *o_subj_label_len)
 {
 	int filename_len = *o_filename;
+	u32 obj_label_len = *o_obj_label_len;
 
 	*o_digest = strlen(ima_template_hash) + 1;
 	*o_filename = *o_digest + ima_template_hash_size;
-	if (filename_len > 0)
-		*o_uid = *o_filename + filename_len + 1;
-	else
+
+	if (ima_template == IMA_NG_TEMPLATE)
+		return;
+	if (entry)
 		*o_uid = *o_filename + strlen((char *)entry + *o_filename) + 1;
+	else
+		*o_uid = *o_filename + filename_len + 1;
 	*o_gid = *o_uid + sizeof(uid_t);
+
+	*o_obj_label_len = *o_gid + sizeof(gid_t);
+	if (entry)
+		obj_label_len = *(u32 *) ((char *)entry + *o_obj_label_len);
+	*o_subj_label_len = *o_obj_label_len + sizeof(u32) + obj_label_len + 1;
 }
 
 /* ima_ng_alloc_init_entry - allocate and initialize the new entry
@@ -202,6 +214,10 @@ void ima_ng_get_offsets(struct ima_template_entry *entry,
  * additional: ima_nglong template
  * 	uid_t - file's uid
  * 	gid_t - file's gid
+ * 	u32 obj_label len
+ * 	char obj_label[] - null terminated LSM object label
+ * 	u32 subj_label len
+ * 	char subj_label[] - null terminated LSM subject label
  */
 struct ima_template_entry *ima_ng_alloc_init_entry(struct inode *inode,
 						   const unsigned char
@@ -209,12 +225,31 @@ struct ima_template_entry *ima_ng_alloc_init_entry(struct inode *inode,
 {
 	struct ima_template_entry *entry;
 	unsigned short o_digest, o_filename, o_uid, o_gid;
-	unsigned short template_data_size;
+	u32 o_obj_label_len = 0, o_subj_label_len = 0;
+	u32 obj_label_len = 0, subj_label_len = 0;
+	char *obj_label = NULL;
+	char *subj_label = NULL;
+	int template_data_size;
+
+	if ((ima_template == IMA_NGLONG_TEMPLATE) && inode) {
+		u32 osid, sid;
+		int rc;
+
+		security_inode_getsecid(inode, &osid);
+		rc = security_secid_to_secctx(osid, &obj_label, &obj_label_len);
+		o_obj_label_len = obj_label_len;
 
+		security_task_getsecid(current, &sid);
+		rc = security_secid_to_secctx(sid, &subj_label,
+					      &subj_label_len);
+		o_subj_label_len = subj_label_len;
+	}
 	o_filename = strlen(filename);
-	ima_ng_get_offsets(NULL, &o_digest, &o_filename, &o_uid, &o_gid);
+	ima_ng_get_offsets(NULL, &o_digest, &o_filename, &o_uid, &o_gid,
+			   &o_obj_label_len, &o_subj_label_len);
 	template_data_size = ima_template == IMA_NG_TEMPLATE ?
-	    o_filename + strlen(filename) + 1 : o_gid + sizeof(gid_t);
+	    o_filename + strlen(filename) + 1 :
+	    o_subj_label_len + sizeof(u32) + subj_label_len + 1;
 
 	entry = kzalloc(sizeof(*entry) + template_data_size, GFP_KERNEL);
 	if (!entry)
@@ -226,14 +261,29 @@ struct ima_template_entry *ima_ng_alloc_init_entry(struct inode *inode,
 		memcpy(entry->template + o_digest, digest,
 		       ima_template_hash_size);
 	strcpy(entry->template + o_filename, filename);
-	if (ima_template == IMA_NGLONG_TEMPLATE) {
-		entry->template_name = IMA_NGLONG_TEMPLATE_NAME;
-		if (inode) {
-			*(uid_t *) (entry->template + o_uid) = inode->i_uid;
-			*(gid_t *) (entry->template + o_gid) = inode->i_gid;
-		}
-	} else
+	if (ima_template == IMA_NG_TEMPLATE) {
 		entry->template_name = IMA_NG_TEMPLATE_NAME;
+		goto out;
+	}
+
+	entry->template_name = IMA_NGLONG_TEMPLATE_NAME;
+	if (inode) {
+		*(uid_t *) (entry->template + o_uid) = inode->i_uid;
+		*(gid_t *) (entry->template + o_gid) = inode->i_gid;
+	}
+	*(entry->template + o_obj_label_len) = obj_label_len;
+	if (obj_label_len > 0) {
+		memcpy(entry->template + o_obj_label_len +
+		       sizeof obj_label_len, obj_label, obj_label_len);
+		security_release_secctx(obj_label, obj_label_len);
+	}
+
+	*(entry->template + o_subj_label_len) = subj_label_len;
+	if (subj_label_len > 0) {
+		memcpy(entry->template + o_subj_label_len +
+		       sizeof subj_label_len, subj_label, subj_label_len);
+		security_release_secctx(subj_label, subj_label_len);
+	}
 out:
 	return entry;
 }
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 4965485..e921f38 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -1,10 +1,12 @@
 /*
- * Copyright (C) 2005,2006,2007,2008 IBM Corporation
+ * Copyright (C) 2005 - 2010 IBM Corporation
+ * Copyright (C) 2010 Politecnico di Torino, Italy,
+ * 	Roberto Sassu <rob...@po...>
  *
  * Authors:
- * Kylene Hall <kj...@us...>
- * Reiner Sailer <sa...@us...>
- * Mimi Zohar <zo...@us...>
+ * 	Kylene Hall <kj...@us...>
+ * 	Reiner Sailer <sa...@us...>
+ *	Mimi Zohar <zo...@us...>
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
@@ -198,6 +200,8 @@ void ima_template_show(struct seq_file *m, int e_len, void *e,
 {
 	struct ima_template_data *entry = e;
 	unsigned short o_digest, o_filename, o_uid, o_gid;
+	u32 o_obj_lsm_label_len, o_subj_lsm_label_len;
+	u32 lsm_label_len;
 	int namelen;
 
 	switch (show) {
@@ -208,15 +212,31 @@ void ima_template_show(struct seq_file *m, int e_len, void *e,
 			seq_printf(m, " %s\n", entry->file_name);
 		} else {
 			ima_ng_get_offsets(e, &o_digest, &o_filename,
-					   &o_uid, &o_gid);
+					   &o_uid, &o_gid,
+					   &o_obj_lsm_label_len,
+					   &o_subj_lsm_label_len);
 			seq_printf(m, "%s ", (char *)e);
 			ima_print_digest(m, e + o_digest,
 					 ima_template_hash_size);
 			seq_printf(m, " %s", (char *)e + o_filename);
-			if (ima_template == IMA_NGLONG_TEMPLATE) {
-				seq_printf(m, " %u", *(uid_t *) (e + o_uid));
-				seq_printf(m, " %u", *(gid_t *) (e + o_gid));
+			if (ima_template == IMA_NG_TEMPLATE) {
+				seq_putc(m, '\n');
+				break;
 			}
+			seq_printf(m, " %u", *(uid_t *) (e + o_uid));
+			seq_printf(m, " %u", *(gid_t *) (e + o_gid));
+
+			lsm_label_len = *(u32 *) (e + o_obj_lsm_label_len);
+			if (lsm_label_len > 0)
+				seq_printf(m, " %s",
+					   (char *)e + o_obj_lsm_label_len
+					   + sizeof(lsm_label_len));
+
+			lsm_label_len = *(u32 *) (e + o_subj_lsm_label_len);
+			if (lsm_label_len > 0)
+				seq_printf(m, " %s",
+					   (char *)(e + o_subj_lsm_label_len
+						    + sizeof(lsm_label_len)));
 			seq_putc(m, '\n');
 		}
 		break;
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index 70fa993..168d3e3 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -108,6 +108,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 	const char *audit_cause = "hash_added";
 	int audit_info = 1;
 	unsigned short o_digest, o_filename, o_uid, o_gid;
+	u32 o_obj_label_len = 0, o_subj_label_len = 0;
 	int result = 0;
 
 	mutex_lock(&ima_extend_list_mutex);
@@ -136,7 +137,9 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 	}
 out:
 	mutex_unlock(&ima_extend_list_mutex);
-	ima_ng_get_offsets(entry, &o_digest, &o_filename, &o_uid, &o_gid);
+	ima_ng_get_offsets(entry, &o_digest, &o_filename, &o_uid, &o_gid,
+			   &o_obj_label_len, &o_subj_label_len);
+
 	integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
 			    entry->template + o_filename,
 			    op, audit_cause, result, audit_info);
-- 
1.6.6.1



