Each time kexec loads an image, ignore the kexec cached status
and re-measure/re-appraise the image. This patch replaces the
iint kexec status with a generic read status in preparation for
measuring/verifying other files.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_api.c | 1 +
security/integrity/ima/ima_appraise.c | 6 +++---
security/integrity/ima/ima_policy.c | 2 +-
security/integrity/integrity.h | 10 +++++-----
4 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 2187cb4..65d8f26 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -253,6 +253,7 @@ int ima_collected_measurement(struct integrity_iint_cache
*iint,
iint->ima_hash = tmpbuf;
memcpy(iint->ima_hash, hash, length);
iint->version = file_inode(file)->i_version;
+ iint->flags &= ~(IMA_MEASURED | IMA_AUDITED| IMA_READ_APPRAISED);
iint->flags |= IMA_COLLECTED;
result = 0;
diff --git a/security/integrity/ima/ima_appraise.c
b/security/integrity/ima/ima_appraise.c
index c74c1de..07bc4e4 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -79,7 +79,7 @@ enum integrity_status ima_get_cache_status(struct
integrity_iint_cache *iint,
case FIRMWARE_CHECK:
return iint->ima_firmware_status;
case KEXEC_CHECK:
- return iint->ima_kexec_status;
+ return iint->ima_read_status;
case FILE_CHECK:
default:
return iint->ima_file_status;
@@ -103,7 +103,7 @@ static void ima_set_cache_status(struct
integrity_iint_cache *iint,
iint->ima_firmware_status = status;
break;
case KEXEC_CHECK:
- iint->ima_kexec_status = status;
+ iint->ima_read_status = status;
break;
case FILE_CHECK:
default:
@@ -128,7 +128,7 @@ static void ima_cache_flags(struct integrity_iint_cache
*iint, int func)
iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED);
break;
case KEXEC_CHECK:
- iint->flags |= (IMA_KEXEC_APPRAISED | IMA_APPRAISED);
+ iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
break;
case FILE_CHECK:
default:
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index 008693c..4e5aec9 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -305,7 +305,7 @@ static int get_subaction(struct ima_rule_entry *rule, int
func)
case FIRMWARE_CHECK:
return IMA_FIRMWARE_APPRAISE;
case KEXEC_CHECK:
- return IMA_KEXEC_APPRAISE;
+ return IMA_READ_APPRAISE;
case FILE_CHECK:
default:
return IMA_FILE_APPRAISE;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 56c571e..9a0ea4c 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -49,14 +49,14 @@
#define IMA_MODULE_APPRAISED 0x00008000
#define IMA_FIRMWARE_APPRAISE 0x00010000
#define IMA_FIRMWARE_APPRAISED 0x00020000
-#define IMA_KEXEC_APPRAISE 0x00040000
-#define IMA_KEXEC_APPRAISED 0x00080000
+#define IMA_READ_APPRAISE 0x00040000
+#define IMA_READ_APPRAISED 0x00080000
#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE | \
- IMA_FIRMWARE_APPRAISE | IMA_KEXEC_APPRAISE)
+ IMA_FIRMWARE_APPRAISE | IMA_READ_APPRAISE)
#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED | \
- IMA_FIRMWARE_APPRAISED | IMA_KEXEC_APPRAISED)
+ IMA_FIRMWARE_APPRAISED | IMA_READ_APPRAISED)
enum evm_ima_xattr_type {
IMA_XATTR_DIGEST = 0x01,
@@ -113,7 +113,7 @@ struct integrity_iint_cache {
enum integrity_status ima_bprm_status:4;
enum integrity_status ima_module_status:4;
enum integrity_status ima_firmware_status:4;
- enum integrity_status ima_kexec_status:4;
+ enum integrity_status ima_read_status:4;
enum integrity_status evm_status:4;
struct ima_digest_data *ima_hash;
};
--
2.1.0
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
