Re: [PATCH 3/3] IMA: add support to measure duplicate buffer for critical data hook

From: Mimi Zohar
Date: Mon Feb 08 2021 - 16:28:22 EST


Hi Tushar,

On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote:

> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
>
> index c096ef8945c7..fbf359495fa8 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)
> */
> int ima_add_template_entry(struct ima_template_entry *entry, int violation,
> const char *op, struct inode *inode,
> - const unsigned char *filename)
> + const unsigned char *filename, bool allow_dup)
> {
> u8 *digest = entry->digests[ima_hash_algo_idx].digest;
>
struct tpm_digestate_entry(struct ima_template_entry *entry, int violation,
>
> mutex_lock(&ima_extend_list_mutex);
> if (!violation) {
> - if (ima_lookup_digest_entry(digest, entry->pcr)) {
> + if (!allow_dup &&
> + ima_lookup_digest_entry(digest, entry->pcr)) {

Can't this change be simplified to "if (!violation && !allow_dup)"?

Also perhaps instead of passing another variable "allow_dup" to each of
these functions, pass a mask containing violation and allow_dup.

> audit_cause = "hash_exists";
> result = -EEXIST;
> goto out;

thanks,

Mimi