[PATCH v3 3/5] LSM: Add security_measure_data in lsm_info struct

Fri, 17 Jul 2020 15:29:00 -0700 

The security modules that require their data to be measured using
the IMA subsystem need to define a function that the LSM can call
to trigger the measurement.

Add a function pointer field namely security_measure_data in lsm_info
structure. Update LSM to call this security module function, if defined,
to measure the security module's data using the IMA subsystem.

Signed-off-by: Lakshmi Ramasubramanian <nra...@linux.microsoft.com>
---
 include/linux/lsm_hooks.h |  3 +++
 security/security.c       | 48 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 95b7c1d32062..17afdf319c55 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1591,6 +1591,9 @@ struct lsm_info {
        int *enabled;           /* Optional: controlled by CONFIG_LSM */
        int (*init)(void);      /* Required. */
        struct lsm_blob_sizes *blobs; /* Optional: for blob sharing. */
+       void (*security_measure_data)(void); /* Optional: for measuring
+                                             * security module data.
+                                             */
 };
 
 extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
diff --git a/security/security.c b/security/security.c
index 70a7ad357bc6..88ce1b780ffd 100644
--- a/security/security.c
+++ b/security/security.c
@@ -86,6 +86,9 @@ static __initconst const char * const builtin_lsm_order = 
CONFIG_LSM;
 static __initdata struct lsm_info **ordered_lsms;
 static __initdata struct lsm_info *exclusive;
 
+static struct lsm_info *security_state_lsms;
+static int security_state_lsms_count;
+
 static __initdata bool debug;
 #define init_debug(...)                                                \
        do {                                                    \
@@ -235,6 +238,45 @@ static void __init initialize_lsm(struct lsm_info *lsm)
        }
 }
 
+static void measure_security_state(struct lsm_info *lsm)
+{
+       if (!lsm->security_measure_data)
+               return;
+
+       lsm->security_measure_data();
+}
+
+static void __init initialize_security_state_lsms(void)
+{
+       struct lsm_info **lsm;
+       int count = 0;
+       int inx;
+
+       for (lsm = ordered_lsms; *lsm; lsm++) {
+               if ((*lsm)->security_measure_data)
+                       count++;
+       }
+
+       if (count == 0)
+               return;
+
+       security_state_lsms = kcalloc(count, sizeof(struct lsm_info),
+                                     GFP_KERNEL);
+       if (!security_state_lsms)
+               return;
+
+       inx = 0;
+       for (lsm = ordered_lsms; *lsm; lsm++) {
+               if ((*lsm)->security_measure_data) {
+                       security_state_lsms[inx].security_measure_data =
+                               (*lsm)->security_measure_data;
+                       inx++;
+               }
+       }
+
+       security_state_lsms_count = count;
+}
+
 /* Populate ordered LSMs list from comma-separated LSM name list. */
 static void __init ordered_lsm_parse(const char *order, const char *origin)
 {
@@ -352,8 +394,12 @@ static void __init ordered_lsm_init(void)
 
        lsm_early_cred((struct cred *) current->cred);
        lsm_early_task(current);
-       for (lsm = ordered_lsms; *lsm; lsm++)
+       for (lsm = ordered_lsms; *lsm; lsm++) {
                initialize_lsm(*lsm);
+               measure_security_state(*lsm);
+       }
+
+       initialize_security_state_lsms();
 
        kfree(ordered_lsms);
 }
-- 
2.27.0

Reply via email to