• Roberto Sassu's avatar
    ima: new templates management mechanism · adf53a77
    Roberto Sassu authored
    The original 'ima' template is fixed length, containing the filedata hash
    and pathname.  The filedata hash is limited to 20 bytes (md5/sha1).  The
    pathname is a null terminated string, limited to 255 characters.  To
    overcome these limitations and to add additional file metadata, it is
    necessary to extend the current version of IMA by defining additional
    templates.
    
    The main reason to introduce this feature is that, each time a new
    template is defined, the functions that generate and display the
    measurement list would include the code for handling a new format and,
    thus, would significantly grow over time.
    
    This patch set solves this problem by separating the template management
    from the remaining IMA code. The core of this solution is the definition
    of two new data structures: a template descriptor, to determine which
    information should be included in the measurement list, and a template
    field, to generate and display data of a given type.
    
    To define a new template field, developers define the field identifier
    and implement two functions, init() and show(), respectively to generate
    and display measurement entries.  Initially, this patch set defines the
    following template fields (support for additional data types will be
    added later):
     - 'd': the digest of the event (i.e. the digest of a measured file),
            calculated with the SHA1 or MD5 hash algorithm;
     - 'n': the name of the event (i.e. the file name), with size up to
            255 bytes;
     - 'd-ng': the digest of the event, calculated with an arbitrary hash
               algorithm (field format: [<hash algo>:]digest, where the digest
               prefix is shown only if the hash algorithm is not SHA1 or MD5);
     - 'n-ng': the name of the event, without size limitations.
    
    Defining a new template descriptor requires specifying the template format,
    a string of field identifiers separated by the '|' character.  This patch
    set defines the following template descriptors:
     - "ima": its format is 'd|n';
     - "ima-ng" (default): its format is 'd-ng|n-ng'
    
    Further details about the new template architecture can be found in
    Documentation/security/IMA-templates.txt.
    
    Changelog:
    - don't defer calling ima_init_template() - Mimi
    - don't define ima_lookup_template_desc() until used - Mimi
    - squashed with documentation patch - Mimi
    Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    adf53a77
ima_template.c 2.39 KB