summaryrefslogtreecommitdiff
path: root/kernel
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2022-03-02 12:13:57 +0100
committerAlexei Starovoitov <ast@kernel.org>2022-03-10 18:56:24 -0800
commit280fe8367b0dc45b6ac5e04fad03e16e99540c0c (patch)
tree54b679ce4f2f18f8c34010fc0c2d52830bfcc1bf /kernel
parentbae60eefb95ca8f2abebaf157d4815ce8fbb0e75 (diff)
downloadlwn-280fe8367b0dc45b6ac5e04fad03e16e99540c0c.tar.gz
lwn-280fe8367b0dc45b6ac5e04fad03e16e99540c0c.zip
ima: Always return a file measurement in ima_file_hash()
__ima_inode_hash() checks if a digest has been already calculated by looking for the integrity_iint_cache structure associated to the passed inode. Users of ima_file_hash() (e.g. eBPF) might be interested in obtaining the information without having to setup an IMA policy so that the digest is always available at the time they call this function. In addition, they likely expect the digest to be fresh, e.g. recalculated by IMA after a file write. Although getting the digest from the bprm_committed_creds hook (as in the eBPF test) ensures that the digest is fresh, as the IMA hook is executed before that hook, this is not always the case (e.g. for the mmap_file hook). Call ima_collect_measurement() in __ima_inode_hash(), if the file descriptor is available (passed by ima_file_hash()) and the digest is not available/not fresh, and store the file measurement in a temporary integrity_iint_cache structure. This change does not cause memory usage increase, due to using the temporary integrity_iint_cache structure, and due to freeing the ima_digest_data structure inside integrity_iint_cache before exiting from __ima_inode_hash(). For compatibility reasons, the behavior of ima_inode_hash() remains unchanged. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Link: https://lore.kernel.org/bpf/20220302111404.193900-3-roberto.sassu@huawei.com
Diffstat (limited to 'kernel')
0 files changed, 0 insertions, 0 deletions