lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241119110103.2780453-8-roberto.sassu@huaweicloud.com>
Date: Tue, 19 Nov 2024 12:01:01 +0100
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: corbet@....net,
	zohar@...ux.ibm.com,
	dmitry.kasatkin@...il.com,
	eric.snowberg@...cle.com,
	paul@...l-moore.com,
	jmorris@...ei.org,
	serge@...lyn.com
Cc: linux-kernel@...r.kernel.org,
	linux-doc@...r.kernel.org,
	linux-integrity@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	wufan@...ux.microsoft.com,
	pbrobinson@...il.com,
	zbyszek@...waw.pl,
	hch@....de,
	mjg59@...f.ucam.org,
	pmatilai@...hat.com,
	jannh@...gle.com,
	dhowells@...hat.com,
	jikos@...nel.org,
	mkoutny@...e.com,
	ppavlu@...e.com,
	petr.vorel@...il.com,
	mzerqung@...inter.de,
	kgold@...ux.ibm.com,
	Roberto Sassu <roberto.sassu@...wei.com>
Subject: [RFC][PATCH v4 7/9] ima: Load verified usage from digest cache found from query

From: Roberto Sassu <roberto.sassu@...wei.com>

Introduce ima_digest_cache_load_verified_usage() to retrieve the verified
usage from the digest cache pointer returned by digest_cache_lookup().

Verified usage cannot be loaded from the digest cache returned by
digest_cache_get() since the latter might return a directory digest cache,
which does not contain any verification data (only set to digest caches
populated from a file).

If digest_cache_lookup() returns the ERR_PTR(-EAGAIN) error pointer,
replace the digest cache pointer in the inode integrity metadata, by
calling digest_cache_get() again, and perform the lookup.

ERR_PTR(-EAGAIN) is returned if the digest cache currently stored in the
inode integrity metadata changed between digest_cache_get() and
digest_cache_lookup(). In this case, getting a fresh digest cache is
necessary to see which changes have been made on the digest cache.

Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
---
 security/integrity/ima/ima_digest_cache.c | 42 +++++++++++++++++++++++
 security/integrity/ima/ima_digest_cache.h |  9 +++++
 2 files changed, 51 insertions(+)

diff --git a/security/integrity/ima/ima_digest_cache.c b/security/integrity/ima/ima_digest_cache.c
index 2c7824ce05cd..b6bd6f9d5442 100644
--- a/security/integrity/ima/ima_digest_cache.c
+++ b/security/integrity/ima/ima_digest_cache.c
@@ -82,3 +82,45 @@ void ima_digest_cache_store_verified_usage(struct file *file,
 		pr_debug("Cannot set verified usage for %s, ret: %d, ignoring\n",
 			 file_dentry(file)->d_name.name, rc);
 }
+
+/**
+ * ima_digest_cache_load_verified_usage - Load verified usage from digest cache
+ * @file: File descriptor of the inode for which the digest cache will be used
+ * @iint: Inode integrity metadata
+ *
+ * Load digest cache verified usage from the digest cache returned by
+ * digest_cache_lookup(), containing the file digest calculated by IMA (if the
+ * digest is found).
+ *
+ * Return: Verified usage if digest is found in digest cache, zero otherwise.
+ */
+u64 ima_digest_cache_load_verified_usage(struct file *file,
+					 struct ima_iint_cache *iint)
+{
+	u64 verified_usage = 0ULL;
+	void *verified_usage_ptr;
+	struct digest_cache *found_cache;
+again:
+	if (!iint->digest_cache)
+		return 0ULL;
+
+	/* Do lookup to get digest cache containing calculated file digest. */
+	found_cache = digest_cache_lookup(file_dentry(file), iint->digest_cache,
+					  iint->ima_hash->digest,
+					  iint->ima_hash->algo);
+	if (!found_cache) {
+		return 0ULL;
+	} else if (found_cache == ERR_PTR(-EAGAIN)) {
+		digest_cache_put(iint->digest_cache);
+		iint->digest_cache = digest_cache_get(file);
+		goto again;
+	}
+
+	/* Get verification data from digest cache with calculated digest. */
+	verified_usage_ptr = digest_cache_verif_get(found_cache, "ima");
+	if (verified_usage_ptr)
+		verified_usage = *(u64 *)verified_usage_ptr;
+
+	digest_cache_put(found_cache);
+	return verified_usage;
+}
diff --git a/security/integrity/ima/ima_digest_cache.h b/security/integrity/ima/ima_digest_cache.h
index 167690930078..23cb53ed02e5 100644
--- a/security/integrity/ima/ima_digest_cache.h
+++ b/security/integrity/ima/ima_digest_cache.h
@@ -14,6 +14,8 @@ bool ima_digest_cache_get_check(struct file *file,
 				struct ima_iint_cache *iint);
 void ima_digest_cache_store_verified_usage(struct file *file,
 					   struct ima_iint_cache *iint);
+u64 ima_digest_cache_load_verified_usage(struct file *file,
+					 struct ima_iint_cache *iint);
 #else
 static inline bool ima_digest_cache_get_check(struct file *file,
 					      struct ima_iint_cache *iint)
@@ -26,4 +28,11 @@ ima_digest_cache_store_verified_usage(struct file *file,
 				      struct ima_iint_cache *iint)
 { }
 
+static inline u64
+ima_digest_cache_load_verified_usage(struct file *file,
+				     struct ima_iint_cache *iint)
+{
+	return 0ULL;
+}
+
 #endif /* CONFIG_INTEGRITY_DIGEST_CACHE */
-- 
2.47.0.118.gfd3785337b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ