0a72ba7aff
IMA audit hashes patches introduced new IMA flags and required space went beyond 8 bits. Currently the only flag is IMA_DIGSIG. This patch use 16 bit short instead of 8 bit char. Without this fix IMA signature will be replaced with hash, which should not happen. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
85 lines
2.2 KiB
C
85 lines
2.2 KiB
C
/*
|
|
* Copyright (C) 2009-2010 IBM Corporation
|
|
*
|
|
* Authors:
|
|
* Mimi Zohar <zohar@us.ibm.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*
|
|
*/
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/integrity.h>
|
|
#include <crypto/sha.h>
|
|
|
|
/* iint action cache flags */
|
|
#define IMA_MEASURE 0x0001
|
|
#define IMA_MEASURED 0x0002
|
|
#define IMA_APPRAISE 0x0004
|
|
#define IMA_APPRAISED 0x0008
|
|
/*#define IMA_COLLECT 0x0010 do not use this flag */
|
|
#define IMA_COLLECTED 0x0020
|
|
#define IMA_AUDIT 0x0040
|
|
#define IMA_AUDITED 0x0080
|
|
|
|
/* iint cache flags */
|
|
#define IMA_DIGSIG 0x0100
|
|
|
|
#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT)
|
|
#define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED \
|
|
| IMA_COLLECTED)
|
|
|
|
enum evm_ima_xattr_type {
|
|
IMA_XATTR_DIGEST = 0x01,
|
|
EVM_XATTR_HMAC,
|
|
EVM_IMA_XATTR_DIGSIG,
|
|
};
|
|
|
|
struct evm_ima_xattr_data {
|
|
u8 type;
|
|
u8 digest[SHA1_DIGEST_SIZE];
|
|
} __attribute__((packed));
|
|
|
|
/* integrity data associated with an inode */
|
|
struct integrity_iint_cache {
|
|
struct rb_node rb_node; /* rooted in integrity_iint_tree */
|
|
struct inode *inode; /* back pointer to inode in question */
|
|
u64 version; /* track inode changes */
|
|
unsigned short flags;
|
|
struct evm_ima_xattr_data ima_xattr;
|
|
enum integrity_status ima_status;
|
|
enum integrity_status evm_status;
|
|
};
|
|
|
|
/* rbtree tree calls to lookup, insert, delete
|
|
* integrity data associated with an inode.
|
|
*/
|
|
struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
|
|
struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
|
|
|
|
#define INTEGRITY_KEYRING_EVM 0
|
|
#define INTEGRITY_KEYRING_MODULE 1
|
|
#define INTEGRITY_KEYRING_IMA 2
|
|
#define INTEGRITY_KEYRING_MAX 3
|
|
|
|
#ifdef CONFIG_INTEGRITY_SIGNATURE
|
|
|
|
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
|
const char *digest, int digestlen);
|
|
|
|
#else
|
|
|
|
static inline int integrity_digsig_verify(const unsigned int id,
|
|
const char *sig, int siglen,
|
|
const char *digest, int digestlen)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
#endif /* CONFIG_INTEGRITY_SIGNATURE */
|
|
|
|
/* set during initialization */
|
|
extern int iint_initialized;
|