davidlt/kernel-ark
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ima: Define new template field imode

Browse Source 
This patch defines the new template field imode, which includes the
inode mode. It can be used by a remote verifier to verify the EVM portable
signature, if it was included with the template fields sig or evmsig.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Roberto Sassu 2021-05-28 09:38:08 +02:00 committed by Mimi Zohar
parent 7dcfeacc5a
commit f8216f6b95
4 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Documentation/security/IMA-templates.rst
View File

@ -77,6 +77,7 @@ descriptors by adding their identifier to the format string
- 'evmsig': the EVM portable signature; - 'evmsig': the EVM portable signature;
- 'iuid': the inode UID; - 'iuid': the inode UID;
- 'igid': the inode GID; - 'igid': the inode GID;
- 'imode': the inode mode;
Below, there is the list of defined template descriptors: Below, there is the list of defined template descriptors:

2
security/integrity/ima/ima_template.c
View File

@ -51,6 +51,8 @@ static const struct ima_template_field supported_fields[] = {
.field_show = ima_show_template_uint}, .field_show = ima_show_template_uint},
{.field_id = "igid", .field_init = ima_eventinodegid_init, {.field_id = "igid", .field_init = ima_eventinodegid_init,
.field_show = ima_show_template_uint}, .field_show = ima_show_template_uint},
{.field_id = "imode", .field_init = ima_eventinodemode_init,
.field_show = ima_show_template_uint},
}; };
/* /*

22
security/integrity/ima/ima_template_lib.c
View File

@ -596,3 +596,25 @@ int ima_eventinodegid_init(struct ima_event_data *event_data,
{ {
return ima_eventinodedac_init_common(event_data, field_data, false); return ima_eventinodedac_init_common(event_data, field_data, false);
} }
/*
* ima_eventinodemode_init - include the inode mode as part of the template
* data
*/
int ima_eventinodemode_init(struct ima_event_data *event_data,
struct ima_field_data *field_data)
{
struct inode *inode;
umode_t mode;
if (!event_data->file)
return 0;
inode = file_inode(event_data->file);
mode = inode->i_mode;
if (ima_canonical_fmt)
mode = cpu_to_le16(mode);
return ima_write_template_field_data((char *)&mode, sizeof(mode),
DATA_FMT_UINT, field_data);
}

2
security/integrity/ima/ima_template_lib.h
View File

@ -54,4 +54,6 @@ int ima_eventinodeuid_init(struct ima_event_data *event_data,
struct ima_field_data *field_data); struct ima_field_data *field_data);
int ima_eventinodegid_init(struct ima_event_data *event_data, int ima_eventinodegid_init(struct ima_event_data *event_data,
struct ima_field_data *field_data); struct ima_field_data *field_data);
int ima_eventinodemode_init(struct ima_event_data *event_data,
struct ima_field_data *field_data);
#endif /* __LINUX_IMA_TEMPLATE_LIB_H */ #endif /* __LINUX_IMA_TEMPLATE_LIB_H */