ima: do not include field length in template digest calc for ima template
authorRoberto Sassu <roberto.sassu@polito.it>
Fri, 8 Nov 2013 18:21:39 +0000 (19:21 +0100)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Mon, 25 Nov 2013 12:26:28 +0000 (07:26 -0500)
To maintain compatibility with userspace tools, the field length must not
be included in the template digest calculation for the 'ima' template.

Fixes commit: a71dc65 ima: switch to new template management mechanism

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/ima/ima.h
security/integrity/ima/ima_api.c
security/integrity/ima/ima_crypto.c

index bf03c6a16cc83ace2f47a3ea7571ef79a63ed1d9..a21cf706d2131691e5a340b990d85b19b2279031 100644 (file)
@@ -97,7 +97,8 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
                           const char *op, struct inode *inode,
                           const unsigned char *filename);
 int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
-int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields,
+int ima_calc_field_array_hash(struct ima_field_data *field_data,
+                             struct ima_template_desc *desc, int num_fields,
                              struct ima_digest_data *hash);
 int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
 void ima_add_violation(struct file *file, const unsigned char *filename,
index 0e7540863fc299687877ae4591961b13b60fcaa9..80374842fe0bb4cfef8a7dec8144eeff5278d408 100644 (file)
@@ -94,6 +94,7 @@ int ima_store_template(struct ima_template_entry *entry,
                /* this function uses default algo */
                hash.hdr.algo = HASH_ALGO_SHA1;
                result = ima_calc_field_array_hash(&entry->template_data[0],
+                                                  entry->template_desc,
                                                   num_fields, &hash.hdr);
                if (result < 0) {
                        integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
index 676e0292dfecf6744b720b8a7e103415b924cc37..fdf60def52e90c93799e7d6ff6298ab4dd68c6d3 100644 (file)
@@ -140,6 +140,7 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
  * Calculate the hash of template data
  */
 static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
+                                        struct ima_template_desc *td,
                                         int num_fields,
                                         struct ima_digest_data *hash,
                                         struct crypto_shash *tfm)
@@ -160,9 +161,13 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
                return rc;
 
        for (i = 0; i < num_fields; i++) {
-               rc = crypto_shash_update(&desc.shash,
-                                        (const u8 *) &field_data[i].len,
-                                        sizeof(field_data[i].len));
+               if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) {
+                       rc = crypto_shash_update(&desc.shash,
+                                               (const u8 *) &field_data[i].len,
+                                               sizeof(field_data[i].len));
+                       if (rc)
+                               break;
+               }
                rc = crypto_shash_update(&desc.shash, field_data[i].data,
                                         field_data[i].len);
                if (rc)
@@ -175,7 +180,8 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
        return rc;
 }
 
-int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields,
+int ima_calc_field_array_hash(struct ima_field_data *field_data,
+                             struct ima_template_desc *desc, int num_fields,
                              struct ima_digest_data *hash)
 {
        struct crypto_shash *tfm;
@@ -185,7 +191,8 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields,
        if (IS_ERR(tfm))
                return PTR_ERR(tfm);
 
-       rc = ima_calc_field_array_hash_tfm(field_data, num_fields, hash, tfm);
+       rc = ima_calc_field_array_hash_tfm(field_data, desc, num_fields,
+                                          hash, tfm);
 
        ima_free_tfm(tfm);