ima: extend ima_get_action() to return the policy pcr

Different policy rules may extend different PCRs. This patch retrieves the specific PCR for the matched rule. Subsequent patches will include the rule specific PCR in the measurement list and extend the appropriate PCR. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Eric Richter <erichte@linux.vnet.ibm.com> 2016-06-01 13:14:02 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2016-06-30 01:14:20 -0400
commit: 725de7fabb9fe4ca388c780ad4644352f2f06ccc (patch)
tree: ae95889e652b85b4fa1801bd13a5a37b03f7874c /security
parent: ima: add policy support for extending different pcrs (diff)
download: linux-dev-725de7fabb9fe4ca388c780ad4644352f2f06ccc.tar.xz
linux-dev-725de7fabb9fe4ca388c780ad4644352f2f06ccc.zip
5 files changed, 14 insertions, 7 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index d3a939bf2781..3c8e71e9e049 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -154,7 +154,8 @@ enum ima_hooks {
 };
 
 /* LIM API function definitions */
-int ima_get_action(struct inode *inode, int mask, enum ima_hooks func);
+int ima_get_action(struct inode *inode, int mask,
+		   enum ima_hooks func, int *pcr);
 int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
 int ima_collect_measurement(struct integrity_iint_cache *iint,
 			    struct file *file, void *buf, loff_t size,
@@ -174,7 +175,7 @@ const char *ima_d_path(const struct path *path, char **pathbuf);
 
 /* IMA policy related functions */
 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
-		     int flags);
+		     int flags, int *pcr);
 void ima_init_policy(void);
 void ima_update_policy(void);
 void ima_update_policy_flag(void);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 5a2218fe877a..225b9cede300 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -157,6 +157,7 @@ err_out:
  * @inode: pointer to inode to measure
  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
  * @func: caller identifier
+ * @pcr: pointer filled in if matched measure policy sets pcr=
  *
  * The policy is defined in terms of keypairs:
  *		subj=, obj=, type=, func=, mask=, fsmagic=
@@ -168,13 +169,13 @@ err_out:
  * Returns IMA_MEASURE, IMA_APPRAISE mask.
  *
  */
-int ima_get_action(struct inode *inode, int mask, enum ima_hooks func)
+int ima_get_action(struct inode *inode, int mask, enum ima_hooks func, int *pcr)
 {
 	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
 
 	flags &= ima_policy_flag;
 
-	return ima_match_policy(inode, func, mask, flags);
+	return ima_match_policy(inode, func, mask, flags, pcr);
 }
 
 /*
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 1bcbc12e03d9..fe8e92360d77 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -41,7 +41,7 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
 	if (!ima_appraise)
 		return 0;
 
-	return ima_match_policy(inode, func, mask, IMA_APPRAISE);
+	return ima_match_policy(inode, func, mask, IMA_APPRAISE, NULL);
 }
 
 static int ima_fix_xattr(struct dentry *dentry,
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 68b26c340acd..58b08b25437a 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -162,6 +162,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
 	char *pathbuf = NULL;
 	const char *pathname = NULL;
 	int rc = -ENOMEM, action, must_appraise;
+	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
 	struct evm_ima_xattr_data *xattr_value = NULL;
 	int xattr_len = 0;
 	bool violation_check;
@@ -174,7 +175,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
 	 * bitmask based on the appraise/audit/measurement policy.
 	 * Included is the appraise submask.
 	 */
-	action = ima_get_action(inode, mask, func);
+	action = ima_get_action(inode, mask, func, &pcr);
 	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
 			   (ima_policy_flag & IMA_MEASURE));
 	if (!action && !violation_check)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 3d35fbe3be0b..aed47b777a57 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -324,6 +324,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
  * @inode: pointer to an inode for which the policy decision is being made
  * @func: IMA hook identifier
  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
+ * @pcr: set the pcr to extend
  *
  * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
  * conditions.
@@ -333,7 +334,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
  * than writes so ima_match_policy() is classical RCU candidate.
  */
 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
-		     int flags)
+		     int flags, int *pcr)
 {
 	struct ima_rule_entry *entry;
 	int action = 0, actmask = flags | (flags << 1);
@@ -358,6 +359,9 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
 		else
 			actmask &= ~(entry->action | entry->action >> 1);
 
+		if ((pcr) && (entry->flags & IMA_PCR))
+			*pcr = entry->pcr;
+
 		if (!actmask)
 			break;
 	}
author	Eric Richter <erichte@linux.vnet.ibm.com>	2016-06-01 13:14:02 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2016-06-30 01:14:20 -0400
commit	725de7fabb9fe4ca388c780ad4644352f2f06ccc (patch)
tree	ae95889e652b85b4fa1801bd13a5a37b03f7874c /security
parent	ima: add policy support for extending different pcrs (diff)
download	linux-dev-725de7fabb9fe4ca388c780ad4644352f2f06ccc.tar.xz linux-dev-725de7fabb9fe4ca388c780ad4644352f2f06ccc.zip