[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c9dffd9d29df095660beaa631ff252c4b33629a0.camel@linux.ibm.com>
Date: Thu, 29 Jul 2021 17:20:42 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...wei.com>,
gregkh@...uxfoundation.org, mchehab+huawei@...nel.org
Cc: linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC][PATCH v2 06/12] diglim: Interfaces - digest_list_add,
digest_list_del
Hi Roberto,
On Mon, 2021-07-26 at 18:36 +0200, Roberto Sassu wrote:
> /*
> + * digest_list_read: read and parse the digest list from the path
> + */
> +static ssize_t digest_list_read(char *path, enum ops op)
> +{
> + void *data = NULL;
> + char *datap;
> + size_t size;
> + u8 actions = 0;
> + struct file *file;
> + char event_name[NAME_MAX + 9 + 1];
> + u8 digest[IMA_MAX_DIGEST_SIZE] = { 0 };
> + enum hash_algo algo;
> + int rc, pathlen = strlen(path);
> +
> + /* Remove \n. */
> + datap = path;
> + strsep(&datap, "\n");
> +
> + file = filp_open(path, O_RDONLY, 0);
> + if (IS_ERR(file)) {
> + pr_err("unable to open file: %s (%ld)", path, PTR_ERR(file));
> + return PTR_ERR(file);
> + }
> +
> + rc = kernel_read_file(file, 0, &data, INT_MAX, NULL,
> + READING_DIGEST_LIST);
> + if (rc < 0) {
> + pr_err("unable to read file: %s (%d)", path, rc);
> + goto out;
> + }
> +
> + size = rc;
> +
> + snprintf(event_name, sizeof(event_name), "%s_file_%s",
> + op == DIGEST_LIST_ADD ? "add" : "del",
> + file_dentry(file)->d_name.name);
> +
> + rc = ima_measure_critical_data("diglim", event_name, data, size, false,
> + digest, sizeof(digest));
> + if (rc < 0 && rc != -EEXIST)
> + goto out_vfree;
The digest lists could easily be measured while reading the digest list
file above in kernel_read_file(). What makes it "critical-data"? In
the SELinux case, the in memory SELinux policy is being measured and
re-measured to make sure it hasn't been modified. Is the digest list
file data being measured more than once?
I understand that with your changes to ima_measure_critical_data(),
which are now in next-integrity-testing branch, allow IMA to calculate
the file data hash.
thanks,
Mimi
> +
> + algo = ima_get_current_hash_algo();
> +
Powered by blists - more mailing lists