lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1557766592.4969.22.camel@linux.ibm.com>
Date:   Mon, 13 May 2019 12:56:32 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Prakhar Srivastava <prsriva02@...il.com>,
        linux-integrity@...r.kernel.org,
        inux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     ebiederm@...ssion.com, vgoyal@...hat.com, prsriva@...rosoft.com
Subject: Re: [PATCH 1/3 v5] add a new ima hook and policy to measure the
 cmdline

On Fri, 2019-05-10 at 15:37 -0700, Prakhar Srivastava wrote:

> +/*
> + * process_buffer_measurement - Measure the buffer passed to ima log.

"passed to ima log" is unnecessary.

> + * (Instead of using the file hash use the buffer hash).

This comment, if needed, belongs in the text description area below,
not here.

> + * @buf - The buffer that needs to be added to the log
> + * @size - size of buffer(in bytes)
> + * @eventname - event name to be used for buffer.

Missing are the other fields.

> + *
> + * The buffer passed is added to the ima log.
> + *
> + * On success return 0.
> + * On error cases surface errors from ima calls.

Only IMA-appraise returns errors to the caller.  There's no point in
returning an error.


> + */
> +static int process_buffer_measurement(const void *buf, int size,
> +				const char *eventname, const struct cred *cred,
> +				u32 secid)

This should be "static void".

> +{
> +	int ret = 0;
> +	struct ima_template_entry *entry = NULL;
> +	struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
> +	struct ima_event_data event_data = {iint, NULL, NULL,
> +						NULL, 0, NULL};
> +	struct {
> +		struct ima_digest_data hdr;
> +		char digest[IMA_MAX_DIGEST_SIZE];
> +	} hash;
> +	int violation = 0;
> +	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
> +	int action = 0;
> +
> +	action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr);
> +	if (!(action & IMA_AUDIT) && !(action & IMA_MEASURE))
> +		goto out;
> +
> +	memset(iint, 0, sizeof(*iint));
> +	memset(&hash, 0, sizeof(hash));
> +
> +	event_data.filename = eventname;
> +
> +	iint->ima_hash = &hash.hdr;
> +	iint->ima_hash->algo = ima_hash_algo;
> +	iint->ima_hash->length = hash_digest_size[ima_hash_algo];
> +
> +	ret = ima_calc_buffer_hash(buf, size, iint->ima_hash);
> +	if (ret < 0)
> +		goto out;
> +
> +	ret = ima_alloc_init_template(&event_data, &entry);
> +	if (ret < 0)
> +		goto out;
> +
> +	if (action & IMA_MEASURE)
> +		ret = ima_store_template(entry, violation, NULL, buf, pcr);
> +
> +	if (action & IMA_AUDIT)
> +		ima_audit_measurement(iint, event_data.filename);

The cover letter and patch description say this patch set is limited
to measuring the boot command line - IMA-measurement.
 ima_audit_measurement() adds file hashes in the audit log, which can
be used for security analytics and/or forensics.  This is part of IMA-
audit.  The call to ima_audit_measurement() is inappropriate.

Mimi


> +
> +	if (ret < 0) {
> +		ima_free_template_entry(entry);
> +		goto out;
> +	}
> +
> +out:
> +	return ret;
> +}
> +

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ