Hi Roberto,
On Mon, 2021-07-26 at 18:36 +0200, Roberto Sassu wrote:
/*
- digest_list_read: read and parse the digest list from the path
- */
+static ssize_t digest_list_read(char *path, enum ops op) +{
void *data = NULL;
char *datap;
size_t size;
u8 actions = 0;
struct file *file;
char event_name[NAME_MAX + 9 + 1];
u8 digest[IMA_MAX_DIGEST_SIZE] = { 0 };
enum hash_algo algo;
int rc, pathlen = strlen(path);
/* Remove \n. */
datap = path;
strsep(&datap, "\n");
file = filp_open(path, O_RDONLY, 0);
if (IS_ERR(file)) {
pr_err("unable to open file: %s (%ld)", path, PTR_ERR(file));
return PTR_ERR(file);
}
rc = kernel_read_file(file, 0, &data, INT_MAX, NULL,
READING_DIGEST_LIST);
if (rc < 0) {
pr_err("unable to read file: %s (%d)", path, rc);
goto out;
}
size = rc;
snprintf(event_name, sizeof(event_name), "%s_file_%s",
op == DIGEST_LIST_ADD ? "add" : "del",
file_dentry(file)->d_name.name);
rc = ima_measure_critical_data("diglim", event_name, data, size, false,
digest, sizeof(digest));
if (rc < 0 && rc != -EEXIST)
goto out_vfree;
The digest lists could easily be measured while reading the digest list file above in kernel_read_file(). What makes it "critical-data"? In the SELinux case, the in memory SELinux policy is being measured and re-measured to make sure it hasn't been modified. Is the digest list file data being measured more than once?
I understand that with your changes to ima_measure_critical_data(), which are now in next-integrity-testing branch, allow IMA to calculate the file data hash.
thanks,
Mimi
algo = ima_get_current_hash_algo();