On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:
> process_buffer_measurement() is limited to measuring the kexec boot
> command line. This patch makes process_buffer_measurement() more
> generic, allowing it to measure other types of buffer data (e.g.
> blacklisted binary hashes or key hashes).
based on "func".
>
> This patch modifies the function to conditionally retrieve the policy
> defined pcr and template based on the func.
This would be done in a subsequent patch, not here.
> @@ -642,19 +642,38 @@ static void process_buffer_measurement(const void *buf, int size,
> .filename = eventname,
> .buf = buf,
> .buf_len = size};
> - struct ima_template_desc *template_desc = NULL;
> + struct ima_template_desc *template = NULL;
> struct {
> struct ima_digest_data hdr;
> char digest[IMA_MAX_DIGEST_SIZE];
> } hash = {};
> int violation = 0;
> - int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
> int action = 0;
> + u32 secid;
>
> - action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
> - &template_desc);
> - if (!(action & IMA_MEASURE))
> - return;
> + if (func) {
> + security_task_getsecid(current, &secid);
> + action = ima_get_action(NULL, current_cred(), secid, 0, func,
> + &pcr, &template);
> + if (!(action & IMA_MEASURE))
> + return;
> + }
> +
Initially there is no need to test "func". A specific "func" test
would be added as needed.
Mimi
