首頁 探索 說明
登入
GfA
/
linux_kernel
5
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

ima: permit duplicate measurement list entries

Measurements carried across kexec need to be added to the IMA
measurement list, but should not prevent measurements of the newly
booted kernel from being added to the measurement list.  This patch adds
support for allowing duplicate measurements.

The "boot_aggregate" measurement entry is the delimiter between soft
boots.

Link: http://lkml.kernel.org/r/1480554346-29071-4-git-send-email-zohar@linux.vnet.ibm.com
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andreas Steffen <andreas.steffen@strongswan.org>
Cc: Josh Sklar <sklar@linux.vnet.ibm.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Stewart Smith <stewart@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Mimi Zohar 8 年之前
父節點
94c3aac567
當前提交
dcfc56937b
共有 1 個文件被更改,包括 10 次插入6 次删除
統一視圖 顯示文件統計
  1. 10 6
      security/integrity/ima/ima_queue.c

+ 10 - 6
security/integrity/ima/ima_queue.c
查看文件 

@@ -65,11 +65,13 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value,
 
 }
 
 }
 
 
 
 /* ima_add_template_entry helper function:
 
 /* ima_add_template_entry helper function:
 
- * - Add template entry to measurement list and hash table.
 
+ * - Add template entry to the measurement list and hash table, for
 
+ *   all entries except those carried across kexec.
 
  *
 
  *
 
  * (Called with ima_extend_list_mutex held.)
 
  * (Called with ima_extend_list_mutex held.)
 
  */
 
  */
 
-static int ima_add_digest_entry(struct ima_template_entry *entry)
 
+static int ima_add_digest_entry(struct ima_template_entry *entry,
 
+				bool update_htable)
 
 {
 
 {
 
 	struct ima_queue_entry *qe;
 
 	struct ima_queue_entry *qe;
 
 	unsigned int key;
 
 	unsigned int key;
 
@@ -85,8 +87,10 @@ static int ima_add_digest_entry(struct ima_template_entry *entry)
 
 	list_add_tail_rcu(&qe->later, &ima_measurements);
 
 	list_add_tail_rcu(&qe->later, &ima_measurements);
 
 
 
 	atomic_long_inc(&ima_htable.len);
 
 	atomic_long_inc(&ima_htable.len);
 
-	key = ima_hash_key(entry->digest);
 
-	hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
 
+	if (update_htable) {
 
+		key = ima_hash_key(entry->digest);
 
+		hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
 
+	}
 
 	return 0;
 
 	return 0;
 
 }
 
 }
 
 
 
@@ -126,7 +130,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 
 		}
 
 		}
 
 	}
 
 	}
 
 
 
-	result = ima_add_digest_entry(entry);
 
+	result = ima_add_digest_entry(entry, 1);
 
 	if (result < 0) {
 
 	if (result < 0) {
 
 		audit_cause = "ENOMEM";
 
 		audit_cause = "ENOMEM";
 
 		audit_info = 0;
 
 		audit_info = 0;
 
@@ -155,7 +159,7 @@ int ima_restore_measurement_entry(struct ima_template_entry *entry)
 
 	int result = 0;
 
 	int result = 0;
 
 
 
 	mutex_lock(&ima_extend_list_mutex);
 
 	mutex_lock(&ima_extend_list_mutex);
 
-	result = ima_add_digest_entry(entry);
 
+	result = ima_add_digest_entry(entry, 0);
 
 	mutex_unlock(&ima_extend_list_mutex);
 
 	mutex_unlock(&ima_extend_list_mutex);
 
 	return result;
 
 	return result;
 
 }
 
 }