summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoberto Sassu <rsassu@suse.de>2015-04-11 17:12:39 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2015-05-21 13:59:29 -0400
commit8d94eb9b5cff350ba170848c862ca0006d33d496 (patch)
tree88774fba38e58df1530470b3a5072e5b729f2ec6
parent23b5741932ca44856762fa24cc7e01307ab8af1f (diff)
ima: pass iint to ima_add_violation()
This patch adds the iint associated to the current inode as a new parameter of ima_add_violation(). The passed iint is always not NULL if a violation is detected. This modification will be used to determine the inode for which there is a violation. Since the 'd' and 'd-ng' template field init() functions were detecting a violation from the value of the iint pointer, they now check the new field 'violation', added to the 'ima_event_data' structure. Changelog: - v1: - modified an old comment (Roberto Sassu) Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r--security/integrity/ima/ima.h2
-rw-r--r--security/integrity/ima/ima_api.c8
-rw-r--r--security/integrity/ima/ima_init.c2
-rw-r--r--security/integrity/ima/ima_main.c5
-rw-r--r--security/integrity/ima/ima_template_lib.c5
5 files changed, 13 insertions, 9 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e13ae5466bf2..c996f7edff3a 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -59,6 +59,7 @@ struct ima_event_data {
const unsigned char *filename;
struct evm_ima_xattr_data *xattr_value;
int xattr_len;
+ const char *violation;
};
/* IMA template field data definition */
@@ -110,6 +111,7 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data,
struct ima_digest_data *hash);
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
void ima_add_violation(struct file *file, const unsigned char *filename,
+ struct integrity_iint_cache *iint,
const char *op, const char *cause);
int ima_init_crypto(void);
void ima_putc(struct seq_file *m, void *data, int datalen);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 5865ea2a2777..1d950fbb2aec 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -126,11 +126,13 @@ int ima_store_template(struct ima_template_entry *entry,
* value is invalidated.
*/
void ima_add_violation(struct file *file, const unsigned char *filename,
+ struct integrity_iint_cache *iint,
const char *op, const char *cause)
{
struct ima_template_entry *entry;
struct inode *inode = file_inode(file);
- struct ima_event_data event_data = {NULL, file, filename, NULL, 0};
+ struct ima_event_data event_data = {iint, file, filename, NULL, 0,
+ cause};
int violation = 1;
int result;
@@ -264,8 +266,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
int result = -ENOMEM;
struct inode *inode = file_inode(file);
struct ima_template_entry *entry;
- struct ima_event_data event_data = {iint, file, filename,
- xattr_value, xattr_len};
+ struct ima_event_data event_data = {iint, file, filename, xattr_value,
+ xattr_len, NULL};
int violation = 0;
if (iint->flags & IMA_MEASURED)
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 2c668370a438..e600cadd231c 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void)
struct ima_template_entry *entry;
struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
struct ima_event_data event_data = {iint, NULL, boot_aggregate_name,
- NULL, 0};
+ NULL, 0, NULL};
int result = -ENOMEM;
int violation = 0;
struct {
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index eeee00dce729..c21f09bf8b99 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -106,9 +106,10 @@ static void ima_rdwr_violation_check(struct file *file,
*pathname = ima_d_path(&file->f_path, pathbuf);
if (send_tomtou)
- ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU");
+ ima_add_violation(file, *pathname, iint,
+ "invalid_pcr", "ToMToU");
if (send_writers)
- ima_add_violation(file, *pathname,
+ ima_add_violation(file, *pathname, iint,
"invalid_pcr", "open_writers");
}
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 67d513367aac..de0ce4fbdf69 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -209,7 +209,7 @@ int ima_eventdigest_init(struct ima_event_data *event_data,
memset(&hash, 0, sizeof(hash));
- if (!event_data->iint) /* recording a violation. */
+ if (event_data->violation) /* recording a violation. */
goto out;
if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) {
@@ -247,8 +247,7 @@ int ima_eventdigest_ng_init(struct ima_event_data *event_data,
u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
u32 cur_digestsize = 0;
- /* If iint is NULL, we are recording a violation. */
- if (!event_data->iint)
+ if (event_data->violation) /* recording a violation. */
goto out;
cur_digest = event_data->iint->ima_hash->digest;