Add FIRMWARE_PARTIAL_READ support for integrity measurement on partial reads of firmware files.
Signed-off-by: Scott Branden scott.branden@broadcom.com --- security/integrity/ima/ima_main.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c1583d98c5e5..5602bc858369 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -610,6 +610,9 @@ void ima_post_path_mknod(struct dentry *dentry) */ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) { + enum ima_hooks func; + u32 secid; + /* * READING_FIRMWARE_PREALLOC_BUFFER * @@ -618,11 +621,27 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) * of IMA's signature verification any more than when using two * buffers? */ - return 0; + if (read_id != READING_FIRMWARE_PARTIAL_READ) + return 0; + + if (!file) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent firmware loading_store.\n"); + return -EACCES; /* INTEGRITY_UNKNOWN */ + } + return 0; + } + + func = read_idmap[read_id] ?: FILE_CHECK; + security_task_getsecid(current, &secid); + return process_measurement(file, current_cred(), secid, NULL, + 0, MAY_READ, func); }
const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, + [READING_FIRMWARE_PARTIAL_READ] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, @@ -649,6 +668,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum ima_hooks func; u32 secid;
+ if (read_id == READING_FIRMWARE_PARTIAL_READ) + return 0; + if (!file && read_id == READING_FIRMWARE) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && (ima_appraise & IMA_APPRAISE_ENFORCE)) {