From d6e645012d97164609260ac567b304681734c5e2 Mon Sep 17 00:00:00 2001 From: Tushar Sugandhi Date: Thu, 7 Jan 2021 20:07:03 -0800 Subject: IMA: define a hook to measure kernel integrity critical data IMA provides capabilities to measure file and buffer data. However, various data structures, policies, and states stored in kernel memory also impact the integrity of the system. Several kernel subsystems contain such integrity critical data. These kernel subsystems help protect the integrity of the system. Currently, IMA does not provide a generic function for measuring kernel integrity critical data. Define ima_measure_critical_data, a new IMA hook, to measure kernel integrity critical data. Signed-off-by: Tushar Sugandhi Reviewed-by: Tyler Hicks Signed-off-by: Mimi Zohar --- include/linux/ima.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'include') diff --git a/include/linux/ima.h b/include/linux/ima.h index 7db9cca1af34..59bd90ac3c35 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -31,6 +31,9 @@ extern void ima_post_path_mknod(struct dentry *dentry); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); +extern void ima_measure_critical_data(const char *event_name, + const void *buf, size_t buf_len, + bool hash); #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM extern void ima_appraise_parse_cmdline(void); @@ -128,6 +131,10 @@ static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size } static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {} + +static inline void ima_measure_critical_data(const char *event_name, + const void *buf, size_t buf_len, + bool hash) {} #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC -- cgit v1.2.3 From 9f5d7d23cc5ec61a92076b73665fcb9aaa5bb5a0 Mon Sep 17 00:00:00 2001 From: Tushar Sugandhi Date: Thu, 7 Jan 2021 20:07:06 -0800 Subject: IMA: extend critical data hook to limit the measurement based on a label The IMA hook ima_measure_critical_data() does not support a way to specify the source of the critical data provider. Thus, the data measurement cannot be constrained based on the data source label in the IMA policy. Extend the IMA hook ima_measure_critical_data() to support passing the data source label as an input parameter, so that the policy rule can be used to limit the measurements based on the label. Signed-off-by: Tushar Sugandhi Reviewed-by: Tyler Hicks Signed-off-by: Mimi Zohar --- include/linux/ima.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/ima.h b/include/linux/ima.h index 59bd90ac3c35..2ac834badbbe 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -31,7 +31,8 @@ extern void ima_post_path_mknod(struct dentry *dentry); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); -extern void ima_measure_critical_data(const char *event_name, +extern void ima_measure_critical_data(const char *event_label, + const char *event_name, const void *buf, size_t buf_len, bool hash); @@ -132,9 +133,11 @@ static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {} -static inline void ima_measure_critical_data(const char *event_name, +static inline void ima_measure_critical_data(const char *event_label, + const char *event_name, const void *buf, size_t buf_len, bool hash) {} + #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC -- cgit v1.2.3 From f31e3386a4e92ba6eda7328cb508462956c94c64 Mon Sep 17 00:00:00 2001 From: Lakshmi Ramasubramanian Date: Thu, 4 Feb 2021 09:49:51 -0800 Subject: ima: Free IMA measurement buffer after kexec syscall IMA allocates kernel virtual memory to carry forward the measurement list, from the current kernel to the next kernel on kexec system call, in ima_add_kexec_buffer() function. This buffer is not freed before completing the kexec system call resulting in memory leak. Add ima_buffer field in "struct kimage" to store the virtual address of the buffer allocated for the IMA measurement list. Free the memory allocated for the IMA measurement list in kimage_file_post_load_cleanup() function. Signed-off-by: Lakshmi Ramasubramanian Suggested-by: Tyler Hicks Reviewed-by: Thiago Jung Bauermann Reviewed-by: Tyler Hicks Fixes: 7b8589cc29e7 ("ima: on soft reboot, save the measurement list") Signed-off-by: Mimi Zohar --- include/linux/kexec.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include') diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 9e93bef52968..5f61389f5f36 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -300,6 +300,11 @@ struct kimage { /* Information for loading purgatory */ struct purgatory_info purgatory_info; #endif + +#ifdef CONFIG_IMA_KEXEC + /* Virtual address of IMA measurement buffer for kexec syscall */ + void *ima_buffer; +#endif }; /* kexec interface functions */ -- cgit v1.2.3