[PATCH v2 4/5 RFC] added a buffer_check LSM hook
From: Prakhar Srivastava
Date: Tue Apr 23 2019 - 20:16:00 EST
From: Prakhar Srivastava <prsriva02@xxxxxxxxx>
Signed-off-by: Prakhar Srivastava <prsriva@xxxxxxxxxxxxx>
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader has not been triggered.
Adding the kexec cmdline args measure and kernel version will add some
attestable criteria.
This patch adds a LSM hook for buffer_check
Suggested by Mimi Zohar
include/linux/lsm_hooks.h | 3 +++
include/linux/security.h | 5 +++++
security/security.c | 7 +++++++
3 files changed, 15 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 080f34e66017..854bf3cac716 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1568,6 +1568,8 @@ union security_list_options {
int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
+ int (*buffer_check)(const void *buff, int size, const char *eventname);
+
#ifdef CONFIG_SECURITY_NETWORK
int (*unix_stream_connect)(struct sock *sock, struct sock *other,
struct sock *newsk);
@@ -1813,6 +1815,7 @@ struct security_hook_heads {
struct list_head inode_notifysecctx;
struct list_head inode_setsecctx;
struct list_head inode_getsecctx;
+ struct list_head buffer_check;
#ifdef CONFIG_SECURITY_NETWORK
struct list_head unix_stream_connect;
struct list_head unix_may_send;
diff --git a/include/linux/security.h b/include/linux/security.h
index af675b576645..cbba0e119234 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -377,6 +377,8 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+
+void security_buffer_measure(const void *buff, int size, char *eventname);
#else /* CONFIG_SECURITY */
struct security_mnt_opts {
};
@@ -776,6 +778,9 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
*secid = 0;
}
+static inline void security_buffer_measure(const void *buff, int size, char *eventname)
+{ }
+
static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
{
return 0;
diff --git a/security/security.c b/security/security.c
index 38316bb28b16..a0dfdb015412 100644
--- a/security/security.c
+++ b/security/security.c
@@ -320,6 +320,13 @@ int security_bprm_check(struct linux_binprm *bprm)
return ima_bprm_check(bprm);
}
+void security_buffer_measure(const void *buff, int size, char *eventname)
+{
+ call_void_hook(buffer_check, buff, size, eventname);
+ return ima_buffer_check(buff, size, eventname);
+}
+
+
void security_bprm_committing_creds(struct linux_binprm *bprm)
{
call_void_hook(bprm_committing_creds, bprm);
--
2.17.1