mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-19 12:24:34 +08:00
IMA: Add audit log for failure conditions
process_buffer_measurement() and ima_alloc_key_entry() functions need to log an audit message for auditing integrity measurement failures. Add audit message in these two functions. Remove "pr_devel" log message in process_buffer_measurement(). Sample audit messages: [ 6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op=measuring_key cause=ENOMEM comm="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12 [ 8.019432] audit: type=1804 audit(1592506283.344:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=measuring_kexec_cmdline cause=hashing_error comm="systemd" name="kexec-cmdline" res=0 errno=-22 Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
parent
2f845882ec
commit
34e980bb83
@ -186,27 +186,43 @@ static inline unsigned int ima_hash_key(u8 *digest)
|
|||||||
return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
|
return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
|
||||||
}
|
}
|
||||||
|
|
||||||
#define __ima_hooks(hook) \
|
#define __ima_hooks(hook) \
|
||||||
hook(NONE) \
|
hook(NONE, none) \
|
||||||
hook(FILE_CHECK) \
|
hook(FILE_CHECK, file) \
|
||||||
hook(MMAP_CHECK) \
|
hook(MMAP_CHECK, mmap) \
|
||||||
hook(BPRM_CHECK) \
|
hook(BPRM_CHECK, bprm) \
|
||||||
hook(CREDS_CHECK) \
|
hook(CREDS_CHECK, creds) \
|
||||||
hook(POST_SETATTR) \
|
hook(POST_SETATTR, post_setattr) \
|
||||||
hook(MODULE_CHECK) \
|
hook(MODULE_CHECK, module) \
|
||||||
hook(FIRMWARE_CHECK) \
|
hook(FIRMWARE_CHECK, firmware) \
|
||||||
hook(KEXEC_KERNEL_CHECK) \
|
hook(KEXEC_KERNEL_CHECK, kexec_kernel) \
|
||||||
hook(KEXEC_INITRAMFS_CHECK) \
|
hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs) \
|
||||||
hook(POLICY_CHECK) \
|
hook(POLICY_CHECK, policy) \
|
||||||
hook(KEXEC_CMDLINE) \
|
hook(KEXEC_CMDLINE, kexec_cmdline) \
|
||||||
hook(KEY_CHECK) \
|
hook(KEY_CHECK, key) \
|
||||||
hook(MAX_CHECK)
|
hook(MAX_CHECK, none)
|
||||||
#define __ima_hook_enumify(ENUM) ENUM,
|
|
||||||
|
#define __ima_hook_enumify(ENUM, str) ENUM,
|
||||||
|
#define __ima_stringify(arg) (#arg)
|
||||||
|
#define __ima_hook_measuring_stringify(ENUM, str) \
|
||||||
|
(__ima_stringify(measuring_ ##str)),
|
||||||
|
|
||||||
enum ima_hooks {
|
enum ima_hooks {
|
||||||
__ima_hooks(__ima_hook_enumify)
|
__ima_hooks(__ima_hook_enumify)
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static const char * const ima_hooks_measure_str[] = {
|
||||||
|
__ima_hooks(__ima_hook_measuring_stringify)
|
||||||
|
};
|
||||||
|
|
||||||
|
static inline const char *func_measure_str(enum ima_hooks func)
|
||||||
|
{
|
||||||
|
if (func >= MAX_CHECK)
|
||||||
|
return ima_hooks_measure_str[NONE];
|
||||||
|
|
||||||
|
return ima_hooks_measure_str[func];
|
||||||
|
}
|
||||||
|
|
||||||
extern const char *const func_tokens[];
|
extern const char *const func_tokens[];
|
||||||
|
|
||||||
struct modsig;
|
struct modsig;
|
||||||
|
@ -740,6 +740,7 @@ void process_buffer_measurement(const void *buf, int size,
|
|||||||
int pcr, const char *keyring)
|
int pcr, const char *keyring)
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
const char *audit_cause = "ENOMEM";
|
||||||
struct ima_template_entry *entry = NULL;
|
struct ima_template_entry *entry = NULL;
|
||||||
struct integrity_iint_cache iint = {};
|
struct integrity_iint_cache iint = {};
|
||||||
struct ima_event_data event_data = {.iint = &iint,
|
struct ima_event_data event_data = {.iint = &iint,
|
||||||
@ -794,21 +795,28 @@ void process_buffer_measurement(const void *buf, int size,
|
|||||||
iint.ima_hash->length = hash_digest_size[ima_hash_algo];
|
iint.ima_hash->length = hash_digest_size[ima_hash_algo];
|
||||||
|
|
||||||
ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
|
ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
|
||||||
if (ret < 0)
|
if (ret < 0) {
|
||||||
|
audit_cause = "hashing_error";
|
||||||
goto out;
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
ret = ima_alloc_init_template(&event_data, &entry, template);
|
ret = ima_alloc_init_template(&event_data, &entry, template);
|
||||||
if (ret < 0)
|
if (ret < 0) {
|
||||||
|
audit_cause = "alloc_entry";
|
||||||
goto out;
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
ret = ima_store_template(entry, violation, NULL, buf, pcr);
|
ret = ima_store_template(entry, violation, NULL, buf, pcr);
|
||||||
|
if (ret < 0) {
|
||||||
if (ret < 0)
|
audit_cause = "store_entry";
|
||||||
ima_free_template_entry(entry);
|
ima_free_template_entry(entry);
|
||||||
|
}
|
||||||
|
|
||||||
out:
|
out:
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
pr_devel("%s: failed, result: %d\n", __func__, ret);
|
integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL, eventname,
|
||||||
|
func_measure_str(func),
|
||||||
|
audit_cause, ret, 0, ret);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -1414,7 +1414,7 @@ void ima_delete_rules(void)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#define __ima_hook_stringify(str) (#str),
|
#define __ima_hook_stringify(func, str) (#func),
|
||||||
|
|
||||||
const char *const func_tokens[] = {
|
const char *const func_tokens[] = {
|
||||||
__ima_hooks(__ima_hook_stringify)
|
__ima_hooks(__ima_hook_stringify)
|
||||||
|
@ -68,6 +68,7 @@ static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,
|
|||||||
size_t payload_len)
|
size_t payload_len)
|
||||||
{
|
{
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
const char *audit_cause = "ENOMEM";
|
||||||
struct ima_key_entry *entry;
|
struct ima_key_entry *entry;
|
||||||
|
|
||||||
entry = kzalloc(sizeof(*entry), GFP_KERNEL);
|
entry = kzalloc(sizeof(*entry), GFP_KERNEL);
|
||||||
@ -88,6 +89,10 @@ static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,
|
|||||||
|
|
||||||
out:
|
out:
|
||||||
if (rc) {
|
if (rc) {
|
||||||
|
integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL,
|
||||||
|
keyring->description,
|
||||||
|
func_measure_str(KEY_CHECK),
|
||||||
|
audit_cause, rc, 0, rc);
|
||||||
ima_free_key_entry(entry);
|
ima_free_key_entry(entry);
|
||||||
entry = NULL;
|
entry = NULL;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user