Re: [PATCH 3/3] IMA: add support to measure duplicate buffer for critical data hook

2021-02-09 Thread Tushar Sugandhi 




On 2021-02-08 12:24 p.m., Mimi Zohar wrote:

Hi Tushar,

On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote:


diff --git a/security/integrity/ima/ima_queue.c 
b/security/integrity/ima/ima_queue.c

index c096ef8945c7..fbf359495fa8 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, 
int pcr)
   */
  int ima_add_template_entry(struct ima_template_entry *entry, int violation,
   const char *op, struct inode *inode,
-  const unsigned char *filename)
+  const unsigned char *filename, bool allow_dup)
  {
u8 *digest = entry->digests[ima_hash_algo_idx].digest;


struct tpm_digestate_entry(struct ima_template_entry *entry, int 
violation,

Not sure I understand this.  Maybe a typo?  Could you please explain?

  
  	mutex_lock(_extend_list_mutex);

if (!violation) {
-   if (ima_lookup_digest_entry(digest, entry->pcr)) {
+   if (!allow_dup &&
+   ima_lookup_digest_entry(digest, entry->pcr)) {


Can't this change be simplified to "if (!violation && !allow_dup)"?


Sure.  Will do.

Earlier I wasn't sure if 'violation' would touch any other use-cases 
inadvertently.  That's why I localized the change as above.


But now since we are supporting other scenarios as well,
I believe "if (!violation && !allow_dup)" would be cleaner.


Also perhaps instead of passing another variable "allow_dup" to each of
these functions, pass a mask containing violation and allow_dup.


There were examples of both approaches in ima_match_policy().
 - int *pcr/ima_template_desc **template_desc as an out-param;
 - and various actions as flags in return int.

Earlier I couldn't decide one way or the other, so I picked the 
out-param approach.


But since allow_dup is just a single bit info, returning it as a bit in 
the action flag is a cleaner solution.

Will implement it with flag in the next iteration.

Thanks again for reviewing the series.  Really appreciate it.

Thanks,
Tushar


audit_cause = "hash_exists";
result = -EEXIST;
goto out;


thanks,

Mimi

Re: [PATCH 3/3] IMA: add support to measure duplicate buffer for critical data hook

2021-02-08 Thread Mimi Zohar 
Hi Tushar,

On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote:

> diff --git a/security/integrity/ima/ima_queue.c 
> b/security/integrity/ima/ima_queue.c
> 
> index c096ef8945c7..fbf359495fa8 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, 
> int pcr)
>   */
>  int ima_add_template_entry(struct ima_template_entry *entry, int violation,
>  const char *op, struct inode *inode,
> -const unsigned char *filename)
> +const unsigned char *filename, bool allow_dup)
>  {
>   u8 *digest = entry->digests[ima_hash_algo_idx].digest;
> 
struct tpm_digestate_entry(struct ima_template_entry *entry, int 
violation,
>  
>   mutex_lock(_extend_list_mutex);
>   if (!violation) {
> - if (ima_lookup_digest_entry(digest, entry->pcr)) {
> + if (!allow_dup &&
> + ima_lookup_digest_entry(digest, entry->pcr)) {

Can't this change be simplified to "if (!violation && !allow_dup)"?

Also perhaps instead of passing another variable "allow_dup" to each of
these functions, pass a mask containing violation and allow_dup.

>   audit_cause = "hash_exists";
>   result = -EEXIST;
>   goto out;

thanks,

Mimi

[PATCH 3/3] IMA: add support to measure duplicate buffer for critical data hook

2021-01-29 Thread Tushar Sugandhi 
process_buffer_measurement() and the underlying functions do not use the
policy condition to measure duplicate buffer entries for integrity
critical data.

Update process_buffer_measurement(), ima_add_template_entry(), and
ima_store_template() to use the policy condition to decide if a
duplicate buffer entry for integrity critical data should be measured.

Signed-off-by: Tushar Sugandhi 
---
 security/integrity/ima/ima.h   | 4 ++--
 security/integrity/ima/ima_api.c   | 9 +
 security/integrity/ima/ima_init.c  | 2 +-
 security/integrity/ima/ima_main.c  | 5 +++--
 security/integrity/ima/ima_queue.c | 5 +++--
 5 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 59324173497f..b06732560949 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -139,7 +139,7 @@ int ima_init(void);
 int ima_fs_init(void);
 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
   const char *op, struct inode *inode,
-  const unsigned char *filename);
+  const unsigned char *filename, bool allow_dup);
 int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
 int ima_calc_buffer_hash(const void *buf, loff_t len,
 struct ima_digest_data *hash);
@@ -278,7 +278,7 @@ int ima_alloc_init_template(struct ima_event_data 
*event_data,
struct ima_template_desc *template_desc);
 int ima_store_template(struct ima_template_entry *entry, int violation,
   struct inode *inode,
-  const unsigned char *filename, int pcr);
+  const unsigned char *filename, int pcr, bool allow_dup);
 void ima_free_template_entry(struct ima_template_entry *entry);
 const char *ima_d_path(const struct path *path, char **pathbuf, char 
*filename);
 
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index d273373e6be9..f84369f9905e 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -101,7 +101,7 @@ int ima_alloc_init_template(struct ima_event_data 
*event_data,
  */
 int ima_store_template(struct ima_template_entry *entry,
   int violation, struct inode *inode,
-  const unsigned char *filename, int pcr)
+  const unsigned char *filename, int pcr, bool allow_dup)
 {
static const char op[] = "add_template_measure";
static const char audit_cause[] = "hashing_error";
@@ -119,7 +119,8 @@ int ima_store_template(struct ima_template_entry *entry,
}
}
entry->pcr = pcr;
-   result = ima_add_template_entry(entry, violation, op, inode, filename);
+   result = ima_add_template_entry(entry, violation, op, inode, filename,
+   allow_dup);
return result;
 }
 
@@ -152,7 +153,7 @@ void ima_add_violation(struct file *file, const unsigned 
char *filename,
goto err_out;
}
result = ima_store_template(entry, violation, inode,
-   filename, CONFIG_IMA_MEASURE_PCR_IDX);
+   filename, CONFIG_IMA_MEASURE_PCR_IDX, 
false);
if (result < 0)
ima_free_template_entry(entry);
 err_out:
@@ -330,7 +331,7 @@ void ima_store_measurement(struct integrity_iint_cache 
*iint,
return;
}
 
-   result = ima_store_template(entry, violation, inode, filename, pcr);
+   result = ima_store_template(entry, violation, inode, filename, pcr, 
false);
if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) {
iint->flags |= IMA_MEASURED;
iint->measured_pcrs |= (0x1 << pcr);
diff --git a/security/integrity/ima/ima_init.c 
b/security/integrity/ima/ima_init.c
index 6e8742916d1d..d0a79d7b8d89 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -88,7 +88,7 @@ static int __init ima_add_boot_aggregate(void)
 
result = ima_store_template(entry, violation, NULL,
boot_aggregate_name,
-   CONFIG_IMA_MEASURE_PCR_IDX);
+   CONFIG_IMA_MEASURE_PCR_IDX, false);
if (result < 0) {
ima_free_template_entry(entry);
audit_cause = "store_entry";
diff --git a/security/integrity/ima/ima_main.c 
b/security/integrity/ima/ima_main.c
index 2774139845b6..ff6d15d7594c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -843,6 +843,7 @@ void process_buffer_measurement(struct inode *inode, const 
void *buf, int size,
int digest_hash_len = hash_digest_size[ima_hash_algo];
int violation = 0;
int action = 0;
+   bool allow_dup = false;
u32 secid;