Each time kexec loads an image, ignore the kexec cached status and re-measure/re-appraise the image. This patch replaces the iint kexec status with a generic read status in preparation for measuring/verifying other files.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> --- security/integrity/ima/ima_api.c | 1 + security/integrity/ima/ima_appraise.c | 6 +++--- security/integrity/ima/ima_policy.c | 2 +- security/integrity/integrity.h | 10 +++++----- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 2187cb4..65d8f26 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -253,6 +253,7 @@ int ima_collected_measurement(struct integrity_iint_cache *iint, iint->ima_hash = tmpbuf; memcpy(iint->ima_hash, hash, length); iint->version = file_inode(file)->i_version; + iint->flags &= ~(IMA_MEASURED | IMA_AUDITED| IMA_READ_APPRAISED); iint->flags |= IMA_COLLECTED; result = 0; diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index c74c1de..07bc4e4 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -79,7 +79,7 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, case FIRMWARE_CHECK: return iint->ima_firmware_status; case KEXEC_CHECK: - return iint->ima_kexec_status; + return iint->ima_read_status; case FILE_CHECK: default: return iint->ima_file_status; @@ -103,7 +103,7 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint, iint->ima_firmware_status = status; break; case KEXEC_CHECK: - iint->ima_kexec_status = status; + iint->ima_read_status = status; break; case FILE_CHECK: default: @@ -128,7 +128,7 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func) iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED); break; case KEXEC_CHECK: - iint->flags |= (IMA_KEXEC_APPRAISED | IMA_APPRAISED); + iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED); break; case FILE_CHECK: default: diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 008693c..4e5aec9 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -305,7 +305,7 @@ static int get_subaction(struct ima_rule_entry *rule, int func) case FIRMWARE_CHECK: return IMA_FIRMWARE_APPRAISE; case KEXEC_CHECK: - return IMA_KEXEC_APPRAISE; + return IMA_READ_APPRAISE; case FILE_CHECK: default: return IMA_FILE_APPRAISE; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 56c571e..9a0ea4c 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -49,14 +49,14 @@ #define IMA_MODULE_APPRAISED 0x00008000 #define IMA_FIRMWARE_APPRAISE 0x00010000 #define IMA_FIRMWARE_APPRAISED 0x00020000 -#define IMA_KEXEC_APPRAISE 0x00040000 -#define IMA_KEXEC_APPRAISED 0x00080000 +#define IMA_READ_APPRAISE 0x00040000 +#define IMA_READ_APPRAISED 0x00080000 #define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \ IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE | \ - IMA_FIRMWARE_APPRAISE | IMA_KEXEC_APPRAISE) + IMA_FIRMWARE_APPRAISE | IMA_READ_APPRAISE) #define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \ IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED | \ - IMA_FIRMWARE_APPRAISED | IMA_KEXEC_APPRAISED) + IMA_FIRMWARE_APPRAISED | IMA_READ_APPRAISED) enum evm_ima_xattr_type { IMA_XATTR_DIGEST = 0x01, @@ -113,7 +113,7 @@ struct integrity_iint_cache { enum integrity_status ima_bprm_status:4; enum integrity_status ima_module_status:4; enum integrity_status ima_firmware_status:4; - enum integrity_status ima_kexec_status:4; + enum integrity_status ima_read_status:4; enum integrity_status evm_status:4; struct ima_digest_data *ima_hash; }; -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html