mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-08-26 19:00:25 +00:00
4834177e63
Take the properties of the kexec kernel's inode and the current task ownership into consideration when matching a KEXEC_CMDLINE operation to the rules in the IMA policy. This allows for some uniformity when writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK, and KEXEC_CMDLINE operations. Prior to this patch, it was not possible to write a set of rules like this: dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t dont_measure func=KEXEC_CMDLINE obj_type=foo_t measure func=KEXEC_KERNEL_CHECK measure func=KEXEC_INITRAMFS_CHECK measure func=KEXEC_CMDLINE The inode information associated with the kernel being loaded by a kexec_kernel_load(2) syscall can now be included in the decision to measure or not Additonally, the uid, euid, and subj_* conditionals can also now be used in KEXEC_CMDLINE rules. There was no technical reason as to why those conditionals weren't being considered previously other than ima_match_rules() didn't have a valid inode to use so it immediately bailed out for KEXEC_CMDLINE operations rather than going through the full list of conditional comparisons. Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: kexec@lists.infradead.org Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
64 lines
1.9 KiB
C
64 lines
1.9 KiB
C
// SPDX-License-Identifier: GPL-2.0+
|
|
/*
|
|
* Copyright (C) 2019 Microsoft Corporation
|
|
*
|
|
* Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
|
|
*
|
|
* File: ima_asymmetric_keys.c
|
|
* Defines an IMA hook to measure asymmetric keys on key
|
|
* create or update.
|
|
*/
|
|
|
|
#include <keys/asymmetric-type.h>
|
|
#include "ima.h"
|
|
|
|
/**
|
|
* ima_post_key_create_or_update - measure asymmetric keys
|
|
* @keyring: keyring to which the key is linked to
|
|
* @key: created or updated key
|
|
* @payload: The data used to instantiate or update the key.
|
|
* @payload_len: The length of @payload.
|
|
* @flags: key flags
|
|
* @create: flag indicating whether the key was created or updated
|
|
*
|
|
* Keys can only be measured, not appraised.
|
|
* The payload data used to instantiate or update the key is measured.
|
|
*/
|
|
void ima_post_key_create_or_update(struct key *keyring, struct key *key,
|
|
const void *payload, size_t payload_len,
|
|
unsigned long flags, bool create)
|
|
{
|
|
bool queued = false;
|
|
|
|
/* Only asymmetric keys are handled by this hook. */
|
|
if (key->type != &key_type_asymmetric)
|
|
return;
|
|
|
|
if (!payload || (payload_len == 0))
|
|
return;
|
|
|
|
if (ima_should_queue_key())
|
|
queued = ima_queue_key(keyring, payload, payload_len);
|
|
|
|
if (queued)
|
|
return;
|
|
|
|
/*
|
|
* keyring->description points to the name of the keyring
|
|
* (such as ".builtin_trusted_keys", ".ima", etc.) to
|
|
* which the given key is linked to.
|
|
*
|
|
* The name of the keyring is passed in the "eventname"
|
|
* parameter to process_buffer_measurement() and is set
|
|
* in the "eventname" field in ima_event_data for
|
|
* the key measurement IMA event.
|
|
*
|
|
* The name of the keyring is also passed in the "keyring"
|
|
* parameter to process_buffer_measurement() to check
|
|
* if the IMA policy is configured to measure a key linked
|
|
* to the given keyring.
|
|
*/
|
|
process_buffer_measurement(NULL, payload, payload_len,
|
|
keyring->description, KEY_CHECK, 0,
|
|
keyring->description);
|
|
}
|