ima: Define new template field imode

This patch defines the new template field imode, which includes the
inode mode. It can be used by a remote verifier to verify the EVM portable
signature, if it was included with the template fields sig or evmsig.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
index bf8ce4cf5878ac7585b0645a2d23a834dcc77650..65c1ce451d083ea90101ef9d9068cc99c2a14429 100644 (file)
--- a/Documentation/security/IMA-templates.rst
+++ b/Documentation/security/IMA-templates.rst
@@ -77,6 +77,7 @@ descriptors by adding their identifier to the format string
  - 'evmsig': the EVM portable signature;
  - 'iuid': the inode UID;
  - 'igid': the inode GID;
+ - 'imode': the inode mode;
 
 
 Below, there is the list of defined template descriptors:

diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index a5ecd9e2581bdb2a2a40c78e3ad0c909ffaeb8ae..43784f2bf8bd6f5639eeccca5f58b11cb27c2d1b 100644 (file)
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -51,6 +51,8 @@ static const struct ima_template_field supported_fields[] = {
         .field_show = ima_show_template_uint},
        {.field_id = "igid", .field_init = ima_eventinodegid_init,
         .field_show = ima_show_template_uint},
+       {.field_id = "imode", .field_init = ima_eventinodemode_init,
+        .field_show = ima_show_template_uint},
 };
 
 /*

diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 87b40f391739fa23d09b4b1bb1b82a0f9d4d1479..3156fb34b1afa53a0cb86928ccd7403b9236213a 100644 (file)
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -596,3 +596,25 @@ int ima_eventinodegid_init(struct ima_event_data *event_data,
 {
        return ima_eventinodedac_init_common(event_data, field_data, false);
 }
+
+/*
+ *  ima_eventinodemode_init - include the inode mode as part of the template
+ *  data
+ */
+int ima_eventinodemode_init(struct ima_event_data *event_data,
+                           struct ima_field_data *field_data)
+{
+       struct inode *inode;
+       umode_t mode;
+
+       if (!event_data->file)
+               return 0;
+
+       inode = file_inode(event_data->file);
+       mode = inode->i_mode;
+       if (ima_canonical_fmt)
+               mode = cpu_to_le16(mode);
+
+       return ima_write_template_field_data((char *)&mode, sizeof(mode),
+                                            DATA_FMT_UINT, field_data);
+}

diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
index b0aaf109f386e2e82dbdbea16cb0ecf7dc6933a2..6509af4a97ee533267a148b383eb2cb88c92eaa6 100644 (file)
--- a/security/integrity/ima/ima_template_lib.h
+++ b/security/integrity/ima/ima_template_lib.h
@@ -54,4 +54,6 @@ int ima_eventinodeuid_init(struct ima_event_data *event_data,
                           struct ima_field_data *field_data);
 int ima_eventinodegid_init(struct ima_event_data *event_data,
                           struct ima_field_data *field_data);
+int ima_eventinodemode_init(struct ima_event_data *event_data,
+                           struct ima_field_data *field_data);
 #endif /* __LINUX_IMA_TEMPLATE_LIB_H */