integrity: define a new function integrity_read_file()
This patch defines a new function called integrity_read_file() to read file from the kernel into a buffer. Subsequent patches will read a file containing the public keys and load them onto the IMA keyring. This patch moves and renames ima_kernel_read(), the non-security checking version of kernel_read(), to integrity_kernel_read(). Changes in v3: * Patch descriptions improved (Mimi) * Add missing cast (kbuild test robot) Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
parent
c2426d2ad5
commit
e3c4abbfa9
|
@ -19,6 +19,8 @@
|
|||
#include <linux/module.h>
|
||||
#include <linux/spinlock.h>
|
||||
#include <linux/rbtree.h>
|
||||
#include <linux/file.h>
|
||||
#include <linux/uaccess.h>
|
||||
#include "integrity.h"
|
||||
|
||||
static struct rb_root integrity_iint_tree = RB_ROOT;
|
||||
|
@ -167,3 +169,79 @@ static int __init integrity_iintcache_init(void)
|
|||
return 0;
|
||||
}
|
||||
security_initcall(integrity_iintcache_init);
|
||||
|
||||
|
||||
/*
|
||||
* integrity_kernel_read - read data from the file
|
||||
*
|
||||
* This is a function for reading file content instead of kernel_read().
|
||||
* It does not perform locking checks to ensure it cannot be blocked.
|
||||
* It does not perform security checks because it is irrelevant for IMA.
|
||||
*
|
||||
*/
|
||||
int integrity_kernel_read(struct file *file, loff_t offset,
|
||||
char *addr, unsigned long count)
|
||||
{
|
||||
mm_segment_t old_fs;
|
||||
char __user *buf = (char __user *)addr;
|
||||
ssize_t ret = -EINVAL;
|
||||
|
||||
if (!(file->f_mode & FMODE_READ))
|
||||
return -EBADF;
|
||||
|
||||
old_fs = get_fs();
|
||||
set_fs(get_ds());
|
||||
if (file->f_op->read)
|
||||
ret = file->f_op->read(file, buf, count, &offset);
|
||||
else if (file->f_op->aio_read)
|
||||
ret = do_sync_read(file, buf, count, &offset);
|
||||
else if (file->f_op->read_iter)
|
||||
ret = new_sync_read(file, buf, count, &offset);
|
||||
set_fs(old_fs);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* integrity_read_file - read entire file content into the buffer
|
||||
*
|
||||
* This is function opens a file, allocates the buffer of required
|
||||
* size, read entire file content to the buffer and closes the file
|
||||
*
|
||||
* It is used only by init code.
|
||||
*
|
||||
*/
|
||||
int __init integrity_read_file(const char *path, char **data)
|
||||
{
|
||||
struct file *file;
|
||||
loff_t size;
|
||||
char *buf;
|
||||
int rc = -EINVAL;
|
||||
|
||||
file = filp_open(path, O_RDONLY, 0);
|
||||
if (IS_ERR(file)) {
|
||||
rc = PTR_ERR(file);
|
||||
pr_err("Unable to open file: %s (%d)", path, rc);
|
||||
return rc;
|
||||
}
|
||||
|
||||
size = i_size_read(file_inode(file));
|
||||
if (size <= 0)
|
||||
goto out;
|
||||
|
||||
buf = kmalloc(size, GFP_KERNEL);
|
||||
if (!buf) {
|
||||
rc = -ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
|
||||
rc = integrity_kernel_read(file, 0, buf, size);
|
||||
if (rc < 0)
|
||||
kfree(buf);
|
||||
else if (rc != size)
|
||||
rc = -EIO;
|
||||
else
|
||||
*data = buf;
|
||||
out:
|
||||
fput(file);
|
||||
return rc;
|
||||
}
|
||||
|
|
|
@ -67,36 +67,6 @@ MODULE_PARM_DESC(ahash_bufsize, "Maximum ahash buffer size");
|
|||
static struct crypto_shash *ima_shash_tfm;
|
||||
static struct crypto_ahash *ima_ahash_tfm;
|
||||
|
||||
/**
|
||||
* ima_kernel_read - read file content
|
||||
*
|
||||
* This is a function for reading file content instead of kernel_read().
|
||||
* It does not perform locking checks to ensure it cannot be blocked.
|
||||
* It does not perform security checks because it is irrelevant for IMA.
|
||||
*
|
||||
*/
|
||||
static int ima_kernel_read(struct file *file, loff_t offset,
|
||||
char *addr, unsigned long count)
|
||||
{
|
||||
mm_segment_t old_fs;
|
||||
char __user *buf = addr;
|
||||
ssize_t ret = -EINVAL;
|
||||
|
||||
if (!(file->f_mode & FMODE_READ))
|
||||
return -EBADF;
|
||||
|
||||
old_fs = get_fs();
|
||||
set_fs(get_ds());
|
||||
if (file->f_op->read)
|
||||
ret = file->f_op->read(file, buf, count, &offset);
|
||||
else if (file->f_op->aio_read)
|
||||
ret = do_sync_read(file, buf, count, &offset);
|
||||
else if (file->f_op->read_iter)
|
||||
ret = new_sync_read(file, buf, count, &offset);
|
||||
set_fs(old_fs);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int __init ima_init_crypto(void)
|
||||
{
|
||||
long rc;
|
||||
|
@ -324,7 +294,8 @@ static int ima_calc_file_hash_atfm(struct file *file,
|
|||
}
|
||||
/* read buffer */
|
||||
rbuf_len = min_t(loff_t, i_size - offset, rbuf_size[active]);
|
||||
rc = ima_kernel_read(file, offset, rbuf[active], rbuf_len);
|
||||
rc = integrity_kernel_read(file, offset, rbuf[active],
|
||||
rbuf_len);
|
||||
if (rc != rbuf_len)
|
||||
goto out3;
|
||||
|
||||
|
@ -417,7 +388,7 @@ static int ima_calc_file_hash_tfm(struct file *file,
|
|||
while (offset < i_size) {
|
||||
int rbuf_len;
|
||||
|
||||
rbuf_len = ima_kernel_read(file, offset, rbuf, PAGE_SIZE);
|
||||
rbuf_len = integrity_kernel_read(file, offset, rbuf, PAGE_SIZE);
|
||||
if (rbuf_len < 0) {
|
||||
rc = rbuf_len;
|
||||
break;
|
||||
|
|
|
@ -119,6 +119,10 @@ struct integrity_iint_cache {
|
|||
*/
|
||||
struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
|
||||
|
||||
int integrity_kernel_read(struct file *file, loff_t offset,
|
||||
char *addr, unsigned long count);
|
||||
int __init integrity_read_file(const char *path, char **data);
|
||||
|
||||
#define INTEGRITY_KEYRING_EVM 0
|
||||
#define INTEGRITY_KEYRING_MODULE 1
|
||||
#define INTEGRITY_KEYRING_IMA 2
|
||||
|
|
Loading…
Reference in New Issue