ima: pass iint to ima_add_violation()
authorRoberto Sassu <rsassu@suse.de>
Sat, 11 Apr 2015 15:12:39 +0000 (17:12 +0200)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Thu, 21 May 2015 17:59:29 +0000 (13:59 -0400)
This patch adds the iint associated to the current inode as a new
parameter of ima_add_violation(). The passed iint is always not NULL
if a violation is detected. This modification will be used to determine
the inode for which there is a violation.

Since the 'd' and 'd-ng' template field init() functions were detecting
a violation from the value of the iint pointer, they now check the new
field 'violation', added to the 'ima_event_data' structure.

Changelog:
 - v1:
   - modified an old comment (Roberto Sassu)

Signed-off-by: Roberto Sassu <rsassu@suse.de>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/ima/ima.h
security/integrity/ima/ima_api.c
security/integrity/ima/ima_init.c
security/integrity/ima/ima_main.c
security/integrity/ima/ima_template_lib.c

index e13ae5466bf224a7676b6bccd32b46c8174ec87b..c996f7edff3a360511a1e9aa65a6a8209ea057d7 100644 (file)
@@ -59,6 +59,7 @@ struct ima_event_data {
        const unsigned char *filename;
        struct evm_ima_xattr_data *xattr_value;
        int xattr_len;
+       const char *violation;
 };
 
 /* IMA template field data definition */
@@ -110,6 +111,7 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data,
                              struct ima_digest_data *hash);
 int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
 void ima_add_violation(struct file *file, const unsigned char *filename,
+                      struct integrity_iint_cache *iint,
                       const char *op, const char *cause);
 int ima_init_crypto(void);
 void ima_putc(struct seq_file *m, void *data, int datalen);
index 5865ea2a2777fe6d96dde77364bc56cc7c54f61f..1d950fbb2aecbb21c62b28233dba7a707a116a6b 100644 (file)
@@ -126,11 +126,13 @@ int ima_store_template(struct ima_template_entry *entry,
  * value is invalidated.
  */
 void ima_add_violation(struct file *file, const unsigned char *filename,
+                      struct integrity_iint_cache *iint,
                       const char *op, const char *cause)
 {
        struct ima_template_entry *entry;
        struct inode *inode = file_inode(file);
-       struct ima_event_data event_data = {NULL, file, filename, NULL, 0};
+       struct ima_event_data event_data = {iint, file, filename, NULL, 0,
+                                           cause};
        int violation = 1;
        int result;
 
@@ -264,8 +266,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
        int result = -ENOMEM;
        struct inode *inode = file_inode(file);
        struct ima_template_entry *entry;
-       struct ima_event_data event_data = {iint, file, filename,
-                                           xattr_value, xattr_len};
+       struct ima_event_data event_data = {iint, file, filename, xattr_value,
+                                           xattr_len, NULL};
        int violation = 0;
 
        if (iint->flags & IMA_MEASURED)
index 2c668370a4389c7142281ca8bdb28273e2a72c5e..e600cadd231cb985d4107b0c8149bdbe6b5fb152 100644 (file)
@@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void)
        struct ima_template_entry *entry;
        struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
        struct ima_event_data event_data = {iint, NULL, boot_aggregate_name,
-                                           NULL, 0};
+                                           NULL, 0, NULL};
        int result = -ENOMEM;
        int violation = 0;
        struct {
index eeee00dce72903d8b9e5b00d75588b10495bd8fc..c21f09bf8b99210f3c3dcbff4497e1194848db2c 100644 (file)
@@ -106,9 +106,10 @@ static void ima_rdwr_violation_check(struct file *file,
        *pathname = ima_d_path(&file->f_path, pathbuf);
 
        if (send_tomtou)
-               ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU");
+               ima_add_violation(file, *pathname, iint,
+                                 "invalid_pcr", "ToMToU");
        if (send_writers)
-               ima_add_violation(file, *pathname,
+               ima_add_violation(file, *pathname, iint,
                                  "invalid_pcr", "open_writers");
 }
 
index 67d513367aacf2e5d903cc901f61c292c62db615..de0ce4fbdf694b2facb18be8a76ba3fc9fbf89a1 100644 (file)
@@ -209,7 +209,7 @@ int ima_eventdigest_init(struct ima_event_data *event_data,
 
        memset(&hash, 0, sizeof(hash));
 
-       if (!event_data->iint)          /* recording a violation. */
+       if (event_data->violation)      /* recording a violation. */
                goto out;
 
        if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) {
@@ -247,8 +247,7 @@ int ima_eventdigest_ng_init(struct ima_event_data *event_data,
        u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
        u32 cur_digestsize = 0;
 
-       /* If iint is NULL, we are recording a violation. */
-       if (!event_data->iint)
+       if (event_data->violation)      /* recording a violation. */
                goto out;
 
        cur_digest = event_data->iint->ima_hash->digest;