On Mon, May 13, 2019 at 6:48 AM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote: > > On 5/11/2019 12:37 AM, Prakhar Srivastava wrote: > > From: Prakhar Srivastava <prsriva02@xxxxxxxxx> > > > > The buffer(cmdline args) added to the ima log cannot be attested > > without having the actual buffer. Thus to make the measured buffer > > available to store/read a new ima template (buf) is added. > > Hi Prakhar > > please fix the typos. More comments below. > > > > + buffer_event_data->type = IMA_XATTR_BUFFER; > > + buffer_event_data->buf_length = size; > > + memcpy(buffer_event_data->buf, buf, size); > > + > > + event_data.xattr_value = (struct evm_ima_xattr_data *)buffer_event_data; > > + event_data.xattr_len = alloc_length; > > I would prefer that you introduce two new fields in the ima_event_data > structure. You can initialize them directly with the parameters of > process_buffer_measurement(). I will make the edits, this will definitely save the kzalloc in this code path. > > ima_write_template_field_data() will make > a copy. > Since event_data->type is used to distinguish what the template field should contain. Removing the type and subsequent check in the template_init, buf template fmt will result in the whole event_Data structure being added to the log, which is not the expected output. For buffer entries, the buf templet fmt will contains the buffer itself. > > > + .field_show = ima_show_template_buf}, > > Please update Documentation/security/IMA-templates.rst Will update the documentation. Thanks, Prakhar Srivastava > > Thanks > > Roberto
