Google Git
Sign in
linux/linux/kernel/git/zohar/linux-integrity/refs/heads/next-boot-cmdline^!/.
commit
4e537d26a09d975c543fbb1f493ddcb559207eda
[log]
author
Mimi Zohar <zohar@linux.vnet.ibm.com>
Mon Jan 11 22:58:18 2016 -0500
committer
Mimi Zohar <zohar@linux.vnet.ibm.com>
Wed Jan 13 16:57:02 2016 -0500
tree
0b5a22cd169bd2fdede6355cc50dd4de578c9010
parent
8e3558cf3ba560408ecddcae934070fffa891f0c [diff]
ima: measure kexec boot command line

In addition to files, other things (eg. boot command line) need to be
measured to attest to the integrity of a running system.  A new IMA
hook named ima_buffer_check() calculates and includes the buffer hash
in the measurement list.  Callers of this hook provide the buffer,
buffer length and a policy identifier.

To measure the boot command line, this patch defines a new policy
identifier named BOOT_CHECK.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index e80f767..227df54 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy

@@ -27,6 +27,7 @@
 
 		base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
 				[FIRMWARE_CHECK] [KEXEC_CHECK] [INITRAMFS_CHECK]
+				[BOOT_CHECK]
 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
 			       [[^]MAY_EXEC]
 			fsmagic:= hex value

diff --git a/include/linux/ima.h b/include/linux/ima.h
index 969552b..6c2b80a 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h

@@ -22,12 +22,19 @@
 	IMA_MAX_READ_CHECK
 };
 
+enum ima_buffer_id {
+	BOOT_CHECK = IMA_MAX_READ_CHECK,
+	IMA_MAX_BUFFER_ID
+};
+
 #ifdef CONFIG_IMA
 extern int ima_bprm_check(struct linux_binprm *bprm);
 extern int ima_file_check(struct file *file, int mask, int opened);
 extern void ima_file_free(struct file *file);
 extern int ima_file_mmap(struct file *file, unsigned long prot);
 extern int ima_module_check(struct file *file);
+extern void ima_buffer_check(void *buf, loff_t size,
+			     enum ima_buffer_id buffer_id);
 extern int ima_hash_and_process_file(struct file *file,
 				     void *buf, loff_t size,
 				     enum ima_policy_id policy_id);
@@ -58,13 +65,18 @@
 	return 0;
 }
 
+static inline void ima_buffer_check(void *buf, loff_t size,
+				    enum ima_buffer_id buffer_id)
+{
+	return;
+}
+
 static inline int ima_hash_and_process_file(struct file *file,
 					    void *buf, loff_t size,
 					    enum ima_policy_id policy_id)
 {
 	return 0;
 }
-
 #endif /* CONFIG_IMA */
 
 #ifdef CONFIG_IMA_APPRAISE

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index f7c3ce4..c98dfb1 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c

@@ -175,6 +175,9 @@
 			ret = -EINVAL;
 			goto out;
 		}
+
+		ima_buffer_check(image->cmdline_buf, cmdline_len - 1,
+				 BOOT_CHECK);
 	}
 
 	/* Call arch image load handlers */

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e8f111b..09ccb4e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h

@@ -122,6 +122,7 @@
 void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
 struct ima_template_desc *ima_template_desc_current(void);
 int ima_init_template(void);
+int ima_match_buffer_id(enum ima_buffer_id buffer_id);
 
 /*
  * used to protect h_table and sha_table
@@ -161,7 +162,7 @@
 
 /* IMA policy related functions */
 enum ima_hooks {
-	FILE_CHECK = IMA_MAX_READ_CHECK,
+	FILE_CHECK = IMA_MAX_BUFFER_ID,
 	MMAP_CHECK,
 	BPRM_CHECK,
 	POST_SETATTR

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 2955118..b6e9bf2 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c

@@ -24,6 +24,7 @@
 #include <linux/slab.h>
 #include <linux/xattr.h>
 #include <linux/ima.h>
+#include <crypto/hash_info.h>
 
 #include "ima.h"
 
@@ -337,6 +338,72 @@
 	return 0;
 }
 
+static void process_buffer_measurement(void *buf, loff_t size,
+				       enum ima_buffer_id buffer_id)
+{
+	struct ima_template_entry *entry;
+	struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
+	struct ima_event_data event_data = {iint, NULL, NULL, NULL, 0, NULL};
+	struct ima_digest_data *hash;
+	char *name;
+	int length = hash_digest_size[ima_hash_algo];
+	int violation = 0;
+	int result;
+
+	hash = kzalloc(sizeof(*hash) + length, GFP_KERNEL);
+	if (!hash)
+		return;
+
+	hash->algo = ima_hash_algo;
+	result = ima_calc_buffer_hash(buf, size, hash);
+	if (result < 0)
+		goto out;
+
+	iint->ima_hash = hash;
+	iint->ima_hash->algo = ima_hash_algo;
+	iint->ima_hash->length = length;
+
+	switch (buffer_id) {
+	case BOOT_CHECK:
+		name = "boot-cmdline";
+		break;
+	default:
+		name = "unknown";
+	}
+
+	event_data.filename = name;
+	result = ima_alloc_init_template(&event_data, &entry);
+	if (result < 0)
+		goto out;
+
+	result = ima_store_template(entry, violation, NULL, name);
+	if (result < 0) {
+		ima_free_template_entry(entry);
+		goto out;
+	}
+	return;
+
+out:
+	kfree(hash);
+}
+
+/**
+ * ima_buffer_check - based on policy, collect & store buffer measurement
+ * @buf: pointer to buffer
+ * @size: size of buffer
+ * @buffer_id: caller identifier
+ *
+ * Buffers can only be measured, not appraised.  The buffer identifier
+ * is used as the measurement list entry name (eg. boot_cmdline).
+ */
+void ima_buffer_check(void *buf, loff_t size, enum ima_buffer_id buffer_id)
+{
+	if (!ima_match_buffer_id(buffer_id))
+		return;
+
+	process_buffer_measurement(buf, size, buffer_id);
+}
+
 /**
  * ima_hash_and_process_file - in memory collect/appraise/audit measurement
  * @file: pointer to the file to be measured/appraised/audit

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index bf30acf..7645616 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c

@@ -56,6 +56,7 @@
 	union {
 		enum ima_hooks func;
 		enum ima_policy_id policy_id;
+		enum ima_buffer_id buffer_id;
 	} hooks;
 	int mask;
 	unsigned long fsmagic;
@@ -363,6 +364,29 @@
 	return action;
 }
 
+/**
+ * ima_match_buffer_id - decision based on policy containing buffer id
+ * @buffer_id: IMA buffer identifier
+ *
+ * Measure decision based the buffer identifier's existence in policy.
+ * (Without an inode, buffers can only be measured, not appraised.)
+ */
+int ima_match_buffer_id(enum ima_buffer_id buffer_id)
+{
+	struct ima_rule_entry *entry;
+	int result = 0;
+
+	rcu_read_lock();
+	list_for_each_entry_rcu(entry, ima_rules, list) {
+		if ((entry->action == MEASURE) && (entry->flags & IMA_FUNC) &&
+		    (entry->hooks.buffer_id == buffer_id))
+			result = 1;
+	}
+	rcu_read_unlock();
+
+	return result;
+}
+
 /*
  * Initialize the ima_policy_flag variable based on the currently
  * loaded policy.  Based on this flag, the decision to short circuit
@@ -628,6 +652,8 @@
 				entry->hooks.policy_id = POLICY_CHECK;
 			else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
 				entry->hooks.policy_id = MODULE_CHECK;
+			else if (strcmp(args[0].from, "BOOT_CHECK") == 0)
+				entry->hooks.buffer_id = BOOT_CHECK;
 			else
 				result = -EINVAL;
 			if (!result)
@@ -875,7 +901,7 @@
 	func_file = 0, func_mmap, func_bprm,
 	func_module, func_post,
 	func_kexec, func_initramfs, func_firmware,
-	func_policy
+	func_policy, func_cmdline
 };
 
 static char *func_tokens[] = {
@@ -887,7 +913,8 @@
 	"KEXEC_CHECK",
 	"INITRAMFS_CHECK",
 	"FIRMWARE_CHECK",
-	"POLICY_CHECK"
+	"POLICY_CHECK",
+	"BOOT_CHECK"
 };
 
 void *ima_policy_start(struct seq_file *m, loff_t *pos)
@@ -978,6 +1005,9 @@
 			case MODULE_CHECK:
 				seq_printf(m, pt(Opt_func), ft(func_module));
 				break;
+			case BOOT_CHECK:
+				seq_printf(m, pt(Opt_func), ft(func_cmdline));
+				break;
 			default:
 				snprintf(tbuf, sizeof(tbuf), "%d",
 					 entry->hooks.func);