ima: add support for different security.ima data types

IMA-appraisal currently verifies the integrity of a file based on a
known 'good' measurement value.  This patch reserves the first byte
of 'security.ima' as a place holder for the type of method used for
verifying file data integrity.

Changelog v1:
- Use the newly defined 'struct evm_ima_xattr_data'
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

security/integrity/ima/ima_api.c

@@ -147,8 +147,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
 	if (!(iint->flags & IMA_COLLECTED)) {
 		u64 i_version = file->f_dentry->d_inode->i_version;
 
-		memset(iint->digest, 0, IMA_DIGEST_SIZE);
-		result = ima_calc_hash(file, iint->digest);
+		iint->ima_xattr.type = IMA_XATTR_DIGEST;
+		result = ima_calc_hash(file, iint->ima_xattr.digest);
 		if (!result) {
 			iint->version = i_version;
 			iint->flags |= IMA_COLLECTED;
@@ -196,7 +196,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
 		return;
 	}
 	memset(&entry->template, 0, sizeof(entry->template));
-	memcpy(entry->template.digest, iint->digest, IMA_DIGEST_SIZE);
+	memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
 	strcpy(entry->template.file_name,
 	       (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
 	       file->f_dentry->d_name.name : filename);

security/integrity/ima/ima_appraise.c

@@ -45,9 +45,9 @@ int ima_must_appraise(struct inode *inode, enum ima_hooks func, int mask)
 static void ima_fix_xattr(struct dentry *dentry,
 			  struct integrity_iint_cache *iint)
 {
-	iint->digest[0] = IMA_XATTR_DIGEST;
-	__vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
-			      iint->digest, IMA_DIGEST_SIZE + 1, 0);
+	iint->ima_xattr.type = IMA_XATTR_DIGEST;
+	__vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr,
+			      sizeof iint->ima_xattr, 0);
 }
 
 /*
@@ -63,7 +63,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
 {
 	struct dentry *dentry = file->f_dentry;
 	struct inode *inode = dentry->d_inode;
-	u8 xattr_value[IMA_DIGEST_SIZE];
+	struct evm_ima_xattr_data xattr_value;
 	enum integrity_status status = INTEGRITY_UNKNOWN;
 	const char *op = "appraise_data";
 	char *cause = "unknown";
@@ -77,8 +77,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
 	if (iint->flags & IMA_APPRAISED)
 		return iint->ima_status;
 
-	rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, xattr_value,
-				   IMA_DIGEST_SIZE);
+	rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value,
+				   sizeof xattr_value);
 	if (rc <= 0) {
 		if (rc && rc != -ENODATA)
 			goto out;
@@ -89,7 +89,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
 		goto out;
 	}
 
-	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
+	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value,
+				 rc, iint);
 	if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
 		if ((status == INTEGRITY_NOLABEL)
 		    || (status == INTEGRITY_NOXATTRS))
@@ -99,14 +100,16 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
 		goto out;
 	}
 
-	rc = memcmp(xattr_value, iint->digest, IMA_DIGEST_SIZE);
+	rc = memcmp(xattr_value.digest, iint->ima_xattr.digest,
+		    IMA_DIGEST_SIZE);
 	if (rc) {
 		status = INTEGRITY_FAIL;
 		cause = "invalid-hash";
 		print_hex_dump_bytes("security.ima: ", DUMP_PREFIX_NONE,
-				     xattr_value, IMA_DIGEST_SIZE);
+				     &xattr_value, sizeof xattr_value);
 		print_hex_dump_bytes("collected: ", DUMP_PREFIX_NONE,
-				     iint->digest, IMA_DIGEST_SIZE);
+				     (u8 *)&iint->ima_xattr,
+				     sizeof iint->ima_xattr);
 		goto out;
 	}
 	status = INTEGRITY_PASS;

security/integrity/integrity.h

@@ -39,7 +39,7 @@ struct integrity_iint_cache {
 	struct inode *inode;	/* back pointer to inode in question */
 	u64 version;		/* track inode changes */
 	unsigned char flags;
-	u8 digest[SHA1_DIGEST_SIZE];
+	struct evm_ima_xattr_data ima_xattr;
 	enum integrity_status ima_status;
 	enum integrity_status evm_status;
 };