[Linux-ima-devel] [PATCH] Disabling Ima caches

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

I'm a master student in computer engineering at politecnico di torino. 
I'm doing my thesis on Remote Attestation for lightVM (especially for 
docker). During the development of my project I had the need to disable 
the two caches of Ima (the one looking the inode and the hashtable 
lookup), in order to have the file measured every time it is loaded (in 
my case this is useful because the same file can be loaded in different 
containers).

I think that this feature can be useful also to other people so here is 
the patch (developed and tested on the latest version of the source 
code, i.e. v4.13 rc2):


 From 1834f3d14cc94c1bd01999438f7ba0c0d3c9f717 Mon Sep 17 00:00:00 2001
 From: Fabio Vallone <fab...@st...>
Date: Sat, 29 Jul 2017 10:01:01 +0200
Subject: [PATCH] Kernel boot parameters to disable ima caches

Signed-off-by: Fabio Vallone <fab...@st...>
---
  security/integrity/ima/ima.h       |  2 ++
  security/integrity/ima/ima_init.c  | 26 ++++++++++++++++++++++++++
  security/integrity/ima/ima_main.c  |  8 ++++++++
  security/integrity/ima/ima_queue.c |  2 +-
  4 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index d52b487..2e969b2 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -57,6 +57,8 @@ extern int ima_initialized;
  extern int ima_used_chip;
  extern int ima_hash_algo;
  extern int ima_appraise;
+extern int ima_cache1_enabled;
+extern int ima_cache2_enabled;

  /* IMA event related data */
  struct ima_event_data {
diff --git a/security/integrity/ima/ima_init.c 
b/security/integrity/ima/ima_init.c
index 2967d49..ce5d7d8 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -139,3 +139,29 @@ int __init ima_init(void)

  	return ima_fs_init();
  }
+// Disable cache 1 and cache 2
+static int __init ima_cache1_setup(char *str)
+{
+	if(strncmp(str, "false", 5)==0){
+		printk("Disabling Cache1");
+		ima_cache1_enabled = 0;
+	}else{
+		ima_cache1_enabled = 1;
+	}
+
+	return 1;
+}
+__setup("ima_cache1=", ima_cache1_setup);
+
+static int __init ima_cache2_setup(char *str)
+{
+	if(strncmp(str, "false", 5)==0){
+		printk("Disabling Cache2");
+		ima_cache2_enabled = 0;
+	}else{
+		ima_cache1_enabled = 1;
+	}
+
+	return 1;
+}
+__setup("ima_cache2=", ima_cache2_setup);
diff --git a/security/integrity/ima/ima_main.c 
b/security/integrity/ima/ima_main.c
index 2aebb79..be5dff0 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -28,6 +28,9 @@
  #include "ima.h"

  int ima_initialized;
+int ima_cache1_enabled = 1;
+int ima_cache2_enabled = 1;
+

  #ifdef CONFIG_IMA_APPRAISE
  int ima_appraise = IMA_APPRAISE_ENFORCE;
@@ -253,6 +256,11 @@ static int process_measurement(struct file *file, 
char *buf, loff_t size,
  	if (action & IMA_AUDIT)
  		ima_audit_measurement(iint, pathname);

+	//Flush Inode For next Measurement if cache1 is disabled
+	if(ima_cache1_enabled == 0)
+		iint->measured_pcrs = 0;
+
+
  out_digsig:
  	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
  	     !(iint->flags & IMA_NEW_FILE))
diff --git a/security/integrity/ima/ima_queue.c 
b/security/integrity/ima/ima_queue.c
index a02a86d..7105587 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -172,7 +172,7 @@ int ima_add_template_entry(struct ima_template_entry 
*entry, int violation,
  	mutex_lock(&ima_extend_list_mutex);
  	if (!violation) {
  		memcpy(digest, entry->digest, sizeof(digest));
-		if (ima_lookup_digest_entry(digest, entry->pcr)) {
+		if (ima_cache2_enabled==1 && ima_lookup_digest_entry(digest, 
entry->pcr)) {
  			audit_cause = "hash_exists";
  			result = -EEXIST;
  			goto out;
-- 
2.7.4


What I've done is the addition of two kernel boot parameters, named 
'ima_cache1' and 'ima_cache2' that once setted to 'false' will disable 
the two caches.
ima_cache1 force the file to be remeasured every time by setting the 
inode->measured_pcrs value to 0, instead ima_cache2 will skip the lookup 
on the hashtable of the cache.

If this parameter are not set or they are set to an incorrect value, ima 
will continue to work exactly like now.

Do you think that this can be a nice to have into the kernel?

Best regards,
Fabio
