[PATCH 26/35] ima: Introduce new hook DIGEST_LIST_CHECK

6 Jul 2020

hulk inclusion
category: feature
feature: digest-lists
---------------------------
This patch introduces a new hook called DIGEST_LIST_CHECK to measure
and appraise digest lists in addition to executables and shared libraries,
without including the FILE_CHECK hook in the IMA policy.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com
---
 security/integrity/ima/ima.h        | 2 ++
 security/integrity/ima/ima_main.c   | 3 ++-
 security/integrity/ima/ima_policy.c | 7 +++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 1cf20bbb106c..c8cd23bb8b8c 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -186,6 +186,7 @@ static inline unsigned int ima_hash_key(u8 *digest)
    hook(KEXEC_KERNEL_CHECK)	\
    hook(KEXEC_INITRAMFS_CHECK)	\
    hook(POLICY_CHECK)		\
+	hook(DIGEST_LIST_CHECK)		\
    hook(MAX_CHECK)
 #define __ima_hook_enumify(ENUM)	ENUM,
@@ -236,6 +237,7 @@ int ima_policy_show(struct seq_file *m, void *v);
 #define IMA_APPRAISE_FIRMWARE	0x10
 #define IMA_APPRAISE_POLICY	0x20
 #define IMA_APPRAISE_KEXEC	0x40
+#define IMA_APPRAISE_DIGEST_LIST	0x80
#ifdef CONFIG_IMA_APPRAISE
 int ima_appraise_measurement(enum ima_hooks func,
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 78a904525711..5e30bf38c7de 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -504,7 +504,8 @@ static int read_idmap[READING_MAX_ID] = {
    [READING_MODULE] = MODULE_CHECK,
    [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK,
    [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK,
-	[READING_POLICY] = POLICY_CHECK
+	[READING_POLICY] = POLICY_CHECK,
+	[READING_DIGEST_LIST] = DIGEST_LIST_CHECK
 };
/**
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 2d5a3daa02f9..ac49f07e8997 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -133,6 +133,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
    {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
    {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
    {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
+	{.action = MEASURE, .func = DIGEST_LIST_CHECK, .flags = IMA_FUNC},
 };
static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
@@ -191,6 +192,8 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
     .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
    {.action = APPRAISE, .func = POLICY_CHECK,
     .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
+	{.action = APPRAISE, .func = DIGEST_LIST_CHECK,
+	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 };
static LIST_HEAD(ima_default_rules);
@@ -470,6 +473,8 @@ static int ima_appraise_flag(enum ima_hooks func)
    	return IMA_APPRAISE_POLICY;
    else if (func == KEXEC_KERNEL_CHECK)
    	return IMA_APPRAISE_KEXEC;
+	else if (func == DIGEST_LIST_CHECK)
+		return IMA_APPRAISE_DIGEST_LIST;
    return 0;
 }
@@ -785,6 +790,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
    			entry->func = KEXEC_INITRAMFS_CHECK;
    		else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
    			entry->func = POLICY_CHECK;
+			else if (strcmp(args[0].from, "DIGEST_LIST_CHECK") == 0)
+				entry->func = DIGEST_LIST_CHECK;
    		else
    			result = -EINVAL;
    		if (!result)
-- 
2.27.GIT

    

2024

2023

2022

2021

2020

2019

[PATCH 26/35] ima: Introduce new hook DIGEST_LIST_CHECK