Re: [Linux-ima-devel] [PATCH] Disabling Ima caches

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 2017-07-29 at 10:28 +0200, Fabio Vallone S224870 wrote:
> Hi all,
> 
> I'm a master student in computer engineering at politecnico di torino. 
> I'm doing my thesis on Remote Attestation for lightVM (especially for 
> docker). During the development of my project I had the need to disable 
> the two caches of Ima (the one looking the inode and the hashtable 
> lookup), in order to have the file measured every time it is loaded (in 
> my case this is useful because the same file can be loaded in different 
> containers).
> 
> I think that this feature can be useful also to other people so here is 
> the patch (developed and tested on the latest version of the source 
> code, i.e. v4.13 rc2):

Thank you for sharing this patch with us.  The real solution is to
namespace IMA, including the hash table.  Until IMA-measurement
namespacing is upstreamed, I assume this will be useful for others,
but, unfortunately, not something that I can upstream.

Below are a few reminders when posting patches in the future.

> 
>  From 1834f3d14cc94c1bd01999438f7ba0c0d3c9f717 Mon Sep 17 00:00:00 2001
>  From: Fabio Vallone <fab...@st...>
> Date: Sat, 29 Jul 2017 10:01:01 +0200
> Subject: [PATCH] Kernel boot parameters to disable ima caches

Missing patch description.

> 
> Signed-off-by: Fabio Vallone <fab...@st...>
> ---
>   security/integrity/ima/ima.h       |  2 ++
>   security/integrity/ima/ima_init.c  | 26 ++++++++++++++++++++++++++
>   security/integrity/ima/ima_main.c  |  8 ++++++++
>   security/integrity/ima/ima_queue.c |  2 +-
>   4 files changed, 37 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index d52b487..2e969b2 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -57,6 +57,8 @@ extern int ima_initialized;
>   extern int ima_used_chip;
>   extern int ima_hash_algo;
>   extern int ima_appraise;
> +extern int ima_cache1_enabled;
> +extern int ima_cache2_enabled;
> 
>   /* IMA event related data */
>   struct ima_event_data {
> diff --git a/security/integrity/ima/ima_init.c 
> b/security/integrity/ima/ima_init.c
> index 2967d49..ce5d7d8 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -139,3 +139,29 @@ int __init ima_init(void)
> 
>   	return ima_fs_init();
>   }
> +// Disable cache 1 and cache 2

Refer to section 8 Commenting of the Documentation/process/coding-
style.rst as to style.

Mimi

> +static int __init ima_cache1_setup(char *str)
> +{
> +	if(strncmp(str, "false", 5)==0){
> +		printk("Disabling Cache1");
> +		ima_cache1_enabled = 0;
> +	}else{
> +		ima_cache1_enabled = 1;
> +	}
> +
> +	return 1;
> +}
> +__setup("ima_cache1=", ima_cache1_setup);
> +
> +static int __init ima_cache2_setup(char *str)
> +{
> +	if(strncmp(str, "false", 5)==0){
> +		printk("Disabling Cache2");
> +		ima_cache2_enabled = 0;
> +	}else{
> +		ima_cache1_enabled = 1;
> +	}
> +
> +	return 1;
> +}
> +__setup("ima_cache2=", ima_cache2_setup);
> diff --git a/security/integrity/ima/ima_main.c 
> b/security/integrity/ima/ima_main.c
> index 2aebb79..be5dff0 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -28,6 +28,9 @@
>   #include "ima.h"
> 
>   int ima_initialized;
> +int ima_cache1_enabled = 1;
> +int ima_cache2_enabled = 1;
> +
> 
>   #ifdef CONFIG_IMA_APPRAISE
>   int ima_appraise = IMA_APPRAISE_ENFORCE;
> @@ -253,6 +256,11 @@ static int process_measurement(struct file *file, 
> char *buf, loff_t size,
>   	if (action & IMA_AUDIT)
>   		ima_audit_measurement(iint, pathname);
> 
> +	//Flush Inode For next Measurement if cache1 is disabled
> +	if(ima_cache1_enabled == 0)
> +		iint->measured_pcrs = 0;
> +
> +
>   out_digsig:
>   	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
>   	     !(iint->flags & IMA_NEW_FILE))
> diff --git a/security/integrity/ima/ima_queue.c 
> b/security/integrity/ima/ima_queue.c
> index a02a86d..7105587 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -172,7 +172,7 @@ int ima_add_template_entry(struct ima_template_entry 
> *entry, int violation,
>   	mutex_lock(&ima_extend_list_mutex);
>   	if (!violation) {
>   		memcpy(digest, entry->digest, sizeof(digest));
> -		if (ima_lookup_digest_entry(digest, entry->pcr)) {
> +		if (ima_cache2_enabled==1 && ima_lookup_digest_entry(digest, 
> entry->pcr)) {
>   			audit_cause = "hash_exists";
>   			result = -EEXIST;
>   			goto out;