Re: [PATCH v9 5/8] ima: make process_buffer_measurement() generic

[Nayna Jain]

On 10/24/19 10:20 AM, Lakshmi Ramasubramanian wrote:
> On 10/23/19 8:47 PM, Nayna Jain wrote:
>
> Hi Nayna,
>
> > +void process_buffer_measurement(const void *buf, int size,
> > +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ const char *eventname, enum ima_hooks func,
> > +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ int pcr)
> > Â {
> > ÂÂÂÂÂ int ret = 0;
> > ÂÂÂÂÂ struct ima_template_entry *entry = NULL;
>
> > +ÂÂÂ if (func) {
> > +ÂÂÂÂÂÂÂ security_task_getsecid(current, &secid);
> > +ÂÂÂÂÂÂÂ action = ima_get_action(NULL, current_cred(), secid, 0, func,
> > +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ &pcr, &template);
> > +ÂÂÂÂÂÂÂ if (!(action & IMA_MEASURE))
> > +ÂÂÂÂÂÂÂÂÂÂÂ return;
> > +ÂÂÂ }
>
> In your change set process_buffer_measurement is called with NONE for 
> the parameter func. So ima_get_action (the above if block) will not be 
> executed.
>
> Wouldn't it better to update ima_get_action (and related functions) to 
> handle the ima policy (func param)?


The idea is to use ima-buf template for the auxiliary measurement 
record. The auxiliary measurement record is an additional record to the 
one already created based on the existing policy. When func is passed as 
NONE, it represents it is an additional record. I am not sure what you 
mean by updating ima_get_action, it is already handling the ima policy.

Thanks & Regards,

ÂÂÂ - Nayna