lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 13 Oct 2014 14:08:37 +0200
From:	Roberto Sassu <roberto.sassu@...ito.it>
To:	linux-security-module@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org,
	linux-ima-devel@...ts.sourceforge.net, zohar@...ibm.com,
	d.kasatkin@...sung.com, jmorris@...ei.org,
	Roberto Sassu <roberto.sassu@...ito.it>
Subject: [PATCH-v4 0/5] ima: add support for custom template formats

Hi everyone

currently accepted patches for the new template management mechanism allow to
choose among a list of supported templates, statically defined in the code.
This functionality is not flexible enough, as users may want to include
in their measurements list only information needed and not use predefined
combinations.

For this reason, this patch set introduces the new kernel command line parameter
'ima_template_fmt' to specify a custom template format at boot time,
i.e. a string of template fields identifiers concatenated with the '|'
separator character. The complete list of defined template fields can be
found in Documentation/security/IMA-templates.txt.

The format string is checked at the very beginning in the setup function
ima_template_fmt_setup() so that, if it is wrong, IMA can go back to the
default template, selected through a kernel configuration option.

To allow userspace tools parse a measurements list with a custom format, IMA
provides as template name the same format string provided by users at boot
time, so that tools know which information are included in a entry and extract
those information if they can handle listed template fields.

Changelog:
 - v3 (sent to ima-devel mailing list only):
   - patch 2/5: check the first byte of 'e->template_desc->name' instead of
     using strlen() in ima_fs.c (suggested by Mimi Zohar)
   - patch 3/5: added 'goto out' in template_desc_init_fields() to free
     allocated memory if a template field length is not valid (suggested by
     Mimi Zohar)
   - patch 4/5: do not check in this patch if 'fields' and 'num_fields' are NULL
     (suggested by Mimi Zohar)
   - patch 5/5: added check for 'fields' and 'num_fields' in
     template_desc_init_fields() (suggested by Mimi Zohar)

 - v2:
   - patch 1/5: display an error message if the format string contains too many
     fields (Roberto Sassu)
   - patch 2/5: print the template format in ima_init_template(), if the
     selected template is custom (Roberto Sassu)
   - patch 3/5: new
   - patch 4/5: new
   - patch 5/5: using template_desc_init_fields() to validate a format string
     (Roberto Sassu)
   - patch 5/5: updated documentation by stating that only the chosen template
     descriptor is initialized (Roberto Sassu)

 - v1:
   - patch 2/3: fixed patch description (Roberto Sassu, suggested by Mimi Zohar)
   - patch 3/3: set 'template_name' variable in ima_fs.c only once
     (Roberto Sassu, suggested by Mimi Zohar)
   - patch 3/3: simplified code of ima_template_fmt_setup()
     (Roberto Sassu, suggested by Mimi Zohar)
   - the patch 'ima: make a copy of template_fmt in template_desc_init_fields()'
     has been removed from this version of the patch set since it has been
     already merged in the mainline kernel (commit: dbc335d2d + fix: af91706d5)


Roberto Sassu (5):
  ima: added error messages to template-related functions
  ima: display template format in meas. list if template name length is
    zero
  ima: don't allocate a copy of template_fmt in
    template_desc_init_fields()
  ima: allocate field pointers array on demand in
    template_desc_init_fields()
  ima: added support for new kernel cmdline parameter ima_template_fmt

 Documentation/kernel-parameters.txt      |   4 ++
 Documentation/security/IMA-templates.txt |  29 +++++----
 security/integrity/ima/ima_fs.c          |  16 +++--
 security/integrity/ima/ima_template.c    | 103 +++++++++++++++++++++----------
 4 files changed, 101 insertions(+), 51 deletions(-)

-- 
1.9.3


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (2061 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ