[PATCH v3 06/13] diglim: IMA info

From: Roberto Sassu
Date: Tue Sep 14 2021 - 12:35:53 EST


Introduce diglim_ima_get_info() to retrieve the digest and the actions
performed by IMA on the passed digest list file or buffer.

diglim_ima_get_info() requires the caller to write-lock the file to ensure
that the file content the integrity status is retrieved from didn't change
since the time the buffer passed as argument was filled.

Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
MAINTAINERS | 1 +
security/integrity/diglim/Makefile | 2 +-
security/integrity/diglim/diglim.h | 6 ++
security/integrity/diglim/ima.c | 122 +++++++++++++++++++++++++++++
security/integrity/integrity.h | 4 +
5 files changed, 134 insertions(+), 1 deletion(-)
create mode 100644 security/integrity/diglim/ima.c

diff --git a/MAINTAINERS b/MAINTAINERS
index f5959936d490..f10690dda734 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -5514,6 +5514,7 @@ F: Documentation/security/diglim/introduction.rst
F: include/linux/diglim.h
F: include/uapi/linux/diglim.h
F: security/integrity/diglim/diglim.h
+F: security/integrity/diglim/ima.c
F: security/integrity/diglim/methods.c
F: security/integrity/diglim/parser.c

diff --git a/security/integrity/diglim/Makefile b/security/integrity/diglim/Makefile
index 34e4e154fff3..880dc5300792 100644
--- a/security/integrity/diglim/Makefile
+++ b/security/integrity/diglim/Makefile
@@ -5,4 +5,4 @@

obj-$(CONFIG_DIGLIM) += diglim.o

-diglim-y := methods.o parser.o
+diglim-y := methods.o parser.o ima.o
diff --git a/security/integrity/diglim/diglim.h b/security/integrity/diglim/diglim.h
index afdb0affdc5e..ebe8936520b5 100644
--- a/security/integrity/diglim/diglim.h
+++ b/security/integrity/diglim/diglim.h
@@ -22,6 +22,8 @@
#include <linux/hash_info.h>
#include <linux/diglim.h>

+#include "../integrity.h"
+
#define MAX_DIGEST_SIZE 64
#define HASH_BITS 10
#define DIGLIM_HTABLE_SIZE (1 << HASH_BITS)
@@ -221,4 +223,8 @@ void digest_list_del(u8 *digest, enum hash_algo algo, u8 actions,

int digest_list_parse(loff_t size, void *buf, enum ops op, u8 actions,
u8 *digest, enum hash_algo algo, const char *label);
+
+int diglim_ima_get_info(struct file *file, u8 *buffer, size_t buffer_len,
+ char *event_name, u8 *digest, size_t digest_len,
+ enum hash_algo *algo, u8 *actions);
#endif /*__DIGLIM_INTERNAL_H*/
diff --git a/security/integrity/diglim/ima.c b/security/integrity/diglim/ima.c
new file mode 100644
index 000000000000..2cc1ec1299f8
--- /dev/null
+++ b/security/integrity/diglim/ima.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2021 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
+ *
+ * Functions to retrieve the integrity status from IMA.
+ */
+
+#include <linux/vmalloc.h>
+#include <linux/module.h>
+#include <linux/ima.h>
+
+#include "diglim.h"
+
+static int diglim_ima_get_info_file(struct file *file, u8 *digest,
+ size_t digest_len, enum hash_algo *algo,
+ u8 *actions)
+{
+ struct integrity_iint_cache *iint;
+ struct inode *inode = file_inode(file);
+ int ret = -ENOENT;
+
+ iint = integrity_iint_find(inode);
+ if (!iint)
+ return ret;
+
+ mutex_lock(&iint->mutex);
+ /* File digest has not been calculated. */
+ if (!(iint->flags & IMA_COLLECTED))
+ goto out;
+
+ ret = 0;
+
+ if (iint->flags & IMA_MEASURED)
+ *actions |= 1 << COMPACT_ACTION_IMA_MEASURED;
+
+ if (iint->flags & IMA_APPRAISED)
+ *actions |= 1 << COMPACT_ACTION_IMA_APPRAISED;
+
+ if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
+ *actions |= 1 << COMPACT_ACTION_IMA_APPRAISED_DIGSIG;
+
+ if (algo)
+ *algo = iint->ima_hash->algo;
+ if (digest)
+ memcpy(digest, iint->ima_hash->digest, hash_digest_size[*algo]);
+out:
+ mutex_unlock(&iint->mutex);
+ return ret;
+}
+
+static int diglim_ima_get_info_buffer(u8 *buffer, size_t buffer_len,
+ char *event_name, u8 *digest,
+ size_t digest_len, enum hash_algo *algo,
+ u8 *actions)
+{
+ int ret;
+
+ ret = ima_measure_critical_data("diglim", event_name, buffer,
+ buffer_len, false, digest, digest_len);
+ if (ret < 0 && ret != -EEXIST)
+ return -ENOENT;
+
+ *algo = ima_get_current_hash_algo();
+
+ if (!ret || ret == -EEXIST)
+ *actions |= 1 << COMPACT_ACTION_IMA_MEASURED;
+
+ return 0;
+}
+
+/**
+ * diglim_ima_get_info - retrieve the integrity status of digest list from IMA
+ * @file: file to retrieve the integrity status from
+ * @buffer: buffer to retrieve the integrity status from (alternative to file)
+ * @buffer_len: buffer length
+ * @event_name: name of the event to be generated by IMA for buffer measurement
+ * @digest: digest of the file or the buffer
+ * @digest_len: digest length
+ * @algo: digest algorithm
+ * @actions: actions performed on the file or the buffer
+ *
+ * This function attempts to retrieve some information from the passed digest
+ * list file or buffer: the digest, its algorithm, and the actions performed by
+ * IMA.
+ *
+ * This function first attempts to retrieve the information from the file, and
+ * if unsuccessful, attempts with the buffer.
+ *
+ * The caller must prevent writes to the file with deny_write_access() to ensure
+ * that the file content the integrity status is retrieved from didn't change
+ * since the time the buffer passed as argument was filled.
+ *
+ * Return: 0 if the information has been successfully retrieved, -ENOENT
+ * otherwise.
+ */
+int diglim_ima_get_info(struct file *file, u8 *buffer, size_t buffer_len,
+ char *event_name, u8 *digest, size_t digest_len,
+ enum hash_algo *algo, u8 *actions)
+{
+ int ret = -ENOENT;
+
+ /* Ensure that the file is write-locked. */
+ if (file && atomic_read(&file_inode(file)->i_writecount) >= 0)
+ return -EINVAL;
+
+ if (file) {
+ ret = diglim_ima_get_info_file(file, digest, digest_len, algo,
+ actions);
+ if (!ret && (*actions & (1 << COMPACT_ACTION_IMA_MEASURED)))
+ return ret;
+ }
+
+ if (buffer) {
+ ret = diglim_ima_get_info_buffer(buffer, buffer_len, event_name,
+ digest, digest_len, algo,
+ actions);
+ }
+
+ return ret;
+}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 74919b638f52..de5dde382f11 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -6,6 +6,9 @@
* Mimi Zohar <zohar@xxxxxxxxxx>
*/

+#ifndef __INTEGRITY_H
+#define __INTEGRITY_H
+
#ifdef pr_fmt
#undef pr_fmt
#endif
@@ -285,3 +288,4 @@ static inline void __init add_to_platform_keyring(const char *source,
{
}
#endif
+#endif /*__INTEGRITY_H*/
--
2.25.1