Commit c6af8efe authored by Mimi Zohar's avatar Mimi Zohar

ima: remove firmware and module specific cached status info

Each time a file is read by the kernel, the file should be re-measured and
the file signature re-appraised, based on policy.  As there is no need to
preserve the status information, this patch replaces the firmware and
module specific cache status with a generic one named read_file.

This change simplifies adding support for other files read by the kernel.
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: default avatarPetko Manolov <petkan@mip-labs.com>
Acked-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
parent a1db7420
...@@ -77,7 +77,7 @@ static void iint_free(struct integrity_iint_cache *iint) ...@@ -77,7 +77,7 @@ static void iint_free(struct integrity_iint_cache *iint)
iint->ima_file_status = INTEGRITY_UNKNOWN; iint->ima_file_status = INTEGRITY_UNKNOWN;
iint->ima_mmap_status = INTEGRITY_UNKNOWN; iint->ima_mmap_status = INTEGRITY_UNKNOWN;
iint->ima_bprm_status = INTEGRITY_UNKNOWN; iint->ima_bprm_status = INTEGRITY_UNKNOWN;
iint->ima_module_status = INTEGRITY_UNKNOWN; iint->ima_read_status = INTEGRITY_UNKNOWN;
iint->evm_status = INTEGRITY_UNKNOWN; iint->evm_status = INTEGRITY_UNKNOWN;
kmem_cache_free(iint_cache, iint); kmem_cache_free(iint_cache, iint);
} }
...@@ -157,7 +157,7 @@ static void init_once(void *foo) ...@@ -157,7 +157,7 @@ static void init_once(void *foo)
iint->ima_file_status = INTEGRITY_UNKNOWN; iint->ima_file_status = INTEGRITY_UNKNOWN;
iint->ima_mmap_status = INTEGRITY_UNKNOWN; iint->ima_mmap_status = INTEGRITY_UNKNOWN;
iint->ima_bprm_status = INTEGRITY_UNKNOWN; iint->ima_bprm_status = INTEGRITY_UNKNOWN;
iint->ima_module_status = INTEGRITY_UNKNOWN; iint->ima_read_status = INTEGRITY_UNKNOWN;
iint->evm_status = INTEGRITY_UNKNOWN; iint->evm_status = INTEGRITY_UNKNOWN;
} }
......
...@@ -144,9 +144,10 @@ enum ima_hooks { ...@@ -144,9 +144,10 @@ enum ima_hooks {
FILE_CHECK = 1, FILE_CHECK = 1,
MMAP_CHECK, MMAP_CHECK,
BPRM_CHECK, BPRM_CHECK,
POST_SETATTR,
MODULE_CHECK, MODULE_CHECK,
FIRMWARE_CHECK, FIRMWARE_CHECK,
POST_SETATTR MAX_CHECK
}; };
/* LIM API function definitions */ /* LIM API function definitions */
......
...@@ -74,13 +74,12 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, ...@@ -74,13 +74,12 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
return iint->ima_mmap_status; return iint->ima_mmap_status;
case BPRM_CHECK: case BPRM_CHECK:
return iint->ima_bprm_status; return iint->ima_bprm_status;
case MODULE_CHECK:
return iint->ima_module_status;
case FIRMWARE_CHECK:
return iint->ima_firmware_status;
case FILE_CHECK: case FILE_CHECK:
default: case POST_SETATTR:
return iint->ima_file_status; return iint->ima_file_status;
case MODULE_CHECK ... MAX_CHECK - 1:
default:
return iint->ima_read_status;
} }
} }
...@@ -95,15 +94,14 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint, ...@@ -95,15 +94,14 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
case BPRM_CHECK: case BPRM_CHECK:
iint->ima_bprm_status = status; iint->ima_bprm_status = status;
break; break;
case MODULE_CHECK:
iint->ima_module_status = status;
break;
case FIRMWARE_CHECK:
iint->ima_firmware_status = status;
break;
case FILE_CHECK: case FILE_CHECK:
default: case POST_SETATTR:
iint->ima_file_status = status; iint->ima_file_status = status;
break;
case MODULE_CHECK ... MAX_CHECK - 1:
default:
iint->ima_read_status = status;
break;
} }
} }
...@@ -117,15 +115,14 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, ...@@ -117,15 +115,14 @@ static void ima_cache_flags(struct integrity_iint_cache *iint,
case BPRM_CHECK: case BPRM_CHECK:
iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED); iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
break; break;
case MODULE_CHECK:
iint->flags |= (IMA_MODULE_APPRAISED | IMA_APPRAISED);
break;
case FIRMWARE_CHECK:
iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED);
break;
case FILE_CHECK: case FILE_CHECK:
default: case POST_SETATTR:
iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED); iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
break;
case MODULE_CHECK ... MAX_CHECK - 1:
default:
iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
break;
} }
} }
......
...@@ -300,13 +300,12 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) ...@@ -300,13 +300,12 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
return IMA_MMAP_APPRAISE; return IMA_MMAP_APPRAISE;
case BPRM_CHECK: case BPRM_CHECK:
return IMA_BPRM_APPRAISE; return IMA_BPRM_APPRAISE;
case MODULE_CHECK:
return IMA_MODULE_APPRAISE;
case FIRMWARE_CHECK:
return IMA_FIRMWARE_APPRAISE;
case FILE_CHECK: case FILE_CHECK:
default: case POST_SETATTR:
return IMA_FILE_APPRAISE; return IMA_FILE_APPRAISE;
case MODULE_CHECK ... MAX_CHECK - 1:
default:
return IMA_READ_APPRAISE;
} }
} }
......
...@@ -45,18 +45,12 @@ ...@@ -45,18 +45,12 @@
#define IMA_MMAP_APPRAISED 0x00000800 #define IMA_MMAP_APPRAISED 0x00000800
#define IMA_BPRM_APPRAISE 0x00001000 #define IMA_BPRM_APPRAISE 0x00001000
#define IMA_BPRM_APPRAISED 0x00002000 #define IMA_BPRM_APPRAISED 0x00002000
#define IMA_MODULE_APPRAISE 0x00004000 #define IMA_READ_APPRAISE 0x00004000
#define IMA_MODULE_APPRAISED 0x00008000 #define IMA_READ_APPRAISED 0x00008000
#define IMA_FIRMWARE_APPRAISE 0x00010000
#define IMA_FIRMWARE_APPRAISED 0x00020000
#define IMA_READ_APPRAISE 0x00040000
#define IMA_READ_APPRAISED 0x00080000
#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \ #define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE | \ IMA_BPRM_APPRAISE | IMA_READ_APPRAISE)
IMA_FIRMWARE_APPRAISE | IMA_READ_APPRAISE)
#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \ #define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED | \ IMA_BPRM_APPRAISED | IMA_READ_APPRAISED)
IMA_FIRMWARE_APPRAISED | IMA_READ_APPRAISED)
enum evm_ima_xattr_type { enum evm_ima_xattr_type {
IMA_XATTR_DIGEST = 0x01, IMA_XATTR_DIGEST = 0x01,
...@@ -111,8 +105,6 @@ struct integrity_iint_cache { ...@@ -111,8 +105,6 @@ struct integrity_iint_cache {
enum integrity_status ima_file_status:4; enum integrity_status ima_file_status:4;
enum integrity_status ima_mmap_status:4; enum integrity_status ima_mmap_status:4;
enum integrity_status ima_bprm_status:4; enum integrity_status ima_bprm_status:4;
enum integrity_status ima_module_status:4;
enum integrity_status ima_firmware_status:4;
enum integrity_status ima_read_status:4; enum integrity_status ima_read_status:4;
enum integrity_status evm_status:4; enum integrity_status evm_status:4;
struct ima_digest_data *ima_hash; struct ima_digest_data *ima_hash;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment