Re: [PATCH 1/3 v5] add a new ima hook and policy to measure the cmdline

From: Mimi Zohar
Date: Mon May 13 2019 - 12:58:28 EST


On Fri, 2019-05-10 at 15:37 -0700, Prakhar Srivastava wrote:

> +/*
> + * process_buffer_measurement - Measure the buffer passed to ima log.

"passed to ima log" is unnecessary.

> + * (Instead of using the file hash use the buffer hash).

This comment, if needed, belongs in the text description area below,
not here.

> + * @buf - The buffer that needs to be added to the log
> + * @size - size of buffer(in bytes)
> + * @eventname - event name to be used for buffer.

Missing are the other fields.

> + *
> + * The buffer passed is added to the ima log.
> + *
> + * On success return 0.
> + * On error cases surface errors from ima calls.

Only IMA-appraise returns errors to the caller. ÂThere's no point in
returning an error.


> + */
> +static int process_buffer_measurement(const void *buf, int size,
> + const char *eventname, const struct cred *cred,
> + u32 secid)

This should be "static void".

> +{
> + int ret = 0;
> + struct ima_template_entry *entry = NULL;
> + struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
> + struct ima_event_data event_data = {iint, NULL, NULL,
> + NULL, 0, NULL};
> + struct {
> + struct ima_digest_data hdr;
> + char digest[IMA_MAX_DIGEST_SIZE];
> + } hash;
> + int violation = 0;
> + int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
> + int action = 0;
> +
> + action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr);
> + if (!(action & IMA_AUDIT) && !(action & IMA_MEASURE))
> + goto out;
> +
> + memset(iint, 0, sizeof(*iint));
> + memset(&hash, 0, sizeof(hash));
> +
> + event_data.filename = eventname;
> +
> + iint->ima_hash = &hash.hdr;
> + iint->ima_hash->algo = ima_hash_algo;
> + iint->ima_hash->length = hash_digest_size[ima_hash_algo];
> +
> + ret = ima_calc_buffer_hash(buf, size, iint->ima_hash);
> + if (ret < 0)
> + goto out;
> +
> + ret = ima_alloc_init_template(&event_data, &entry);
> + if (ret < 0)
> + goto out;
> +
> + if (action & IMA_MEASURE)
> + ret = ima_store_template(entry, violation, NULL, buf, pcr);
> +
> + if (action & IMA_AUDIT)
> + ima_audit_measurement(iint, event_data.filename);

The cover letter and patch description say this patch set is limited
to measuring the boot command line - IMA-measurement.
Âima_audit_measurement() adds file hashes in the audit log, which can
be used for security analytics and/or forensics. ÂThis is part of IMA-
audit. ÂThe call to ima_audit_measurement() is inappropriate.

Mimi


> +
> + if (ret < 0) {
> + ima_free_template_entry(entry);
> + goto out;
> + }
> +
> +out:
> + return ret;
> +}
> +