From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> The digest_cache LSM allows integrity providers to record how the digest list being used to populate the digest cache was verified. Integrity providers can register a kernel_post_read_file LSM hook implementation, and call digest_cache_verif_set() providing the result of the digest list verification, together with the digest list file descriptor. IMA calls digest_cache_verif_set() during the DIGEST_LIST_CHECK hook (kernel read with file type READING_DIGEST_LIST), and attaches to the digest cache a u64 variable with the IMA_DIGEST_CACHE_MEASURE_CONTENT and IMA_DIGEST_CACHE_APPRAISE_CONTENT flags set, if the digest list was respectively measured and appraised. The same flags are set in another u64 variable, if 'digest_cache=content' appears respectively in a measure or appraise rule. The final decision on whether the digest cache can be used for measurement and appraisal depends on the AND of these two variables, so it must have been authorized with the IMA policy and the same action must have been done on the digest list. This prevents remote verifiers from receiving an incomplete IMA measurement list, where measurements are skipped, but there isn't the digest list the calculated file digest was search into. It also prevents successful appraisal without appraising the digest list itself. Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 19 ++++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index deee56d99d6f..2dbcaf0a9402 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -20,6 +20,7 @@ #include <linux/hash.h> #include <linux/tpm.h> #include <linux/audit.h> +#include <linux/digest_cache.h> #include <crypto/hash_info.h> #include "../integrity.h" diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e3ca80098c4c..3fc48214850a 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -214,7 +214,7 @@ static int process_measurement(struct file *file, const struct cred *cred, char *pathbuf = NULL; char filename[NAME_MAX]; const char *pathname = NULL; - int rc = 0, action, must_appraise = 0; + int rc = 0, digest_cache_rc, action, must_appraise = 0; int pcr = CONFIG_IMA_MEASURE_PCR_IDX; struct evm_ima_xattr_data *xattr_value = NULL; struct modsig *modsig = NULL; @@ -222,6 +222,7 @@ static int process_measurement(struct file *file, const struct cred *cred, bool violation_check; enum hash_algo hash_algo; unsigned int allowed_algos = 0; + u64 verif_mask = 0; if (!ima_policy_flag || !S_ISREG(inode->i_mode)) return 0; @@ -399,6 +400,22 @@ static int process_measurement(struct file *file, const struct cred *cred, if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) && !(iint->flags & IMA_NEW_FILE)) rc = -EACCES; + if (!rc && func == DIGEST_LIST_CHECK) { + if (iint->flags & IMA_MEASURED) + verif_mask |= IMA_DIGEST_CACHE_MEASURE_CONTENT; + if (iint->flags & IMA_APPRAISED_SUBMASK) + verif_mask |= IMA_DIGEST_CACHE_APPRAISE_CONTENT; + + /* Remember actions done on digest list for later use. */ + digest_cache_rc = digest_cache_verif_set(file, "ima", + &verif_mask, + sizeof(verif_mask)); + /* Ignore if fd doesn't have digest cache set (prefetching). */ + if (digest_cache_rc && digest_cache_rc != -ENOENT) + pr_debug("Cannot set verification mask for %s, ret: %d, ignoring\n", + file_dentry(file)->d_name.name, + digest_cache_rc); + } mutex_unlock(&iint->mutex); kfree(xattr_value); ima_free_modsig(modsig); -- 2.34.1