From: Roberto Sassu <[email protected]> Make ima_num_records as an array, to have separate counters per binary measurements list type. Currently, define the BINARY type for the existing binary measurements list.
No functional change: the BINARY type is equivalent to the value without the array. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu <[email protected]> Reviewed-by: Mimi Zohar <[email protected]> --- security/integrity/ima/ima.h | 9 ++++++++- security/integrity/ima/ima_fs.c | 2 +- security/integrity/ima/ima_kexec.c | 2 +- security/integrity/ima/ima_queue.c | 6 ++++-- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 0e41c2113efd..8f457f2c7b79 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -28,6 +28,13 @@ enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN, IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII }; enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 }; +/* + * BINARY: current binary measurements list + */ +enum binary_lists { + BINARY, BINARY__LAST +}; + /* digest size for IMA, fits SHA1 or MD5 */ #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE #define IMA_EVENT_NAME_LEN_MAX 255 @@ -326,7 +333,7 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, extern spinlock_t ima_queue_lock; /* Total number of measurement list records since hard boot. */ -extern atomic_long_t ima_num_records; +extern atomic_long_t ima_num_records[BINARY__LAST]; /* Total number of violations since hard boot. */ extern atomic_long_t ima_num_violations; extern struct hlist_head __rcu *ima_htable; diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 523d3e81f631..fcfcf7b6eae2 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -63,7 +63,7 @@ static ssize_t ima_show_measurements_count(struct file *filp, char __user *buf, size_t count, loff_t *ppos) { - return ima_show_counter(buf, count, ppos, &ima_num_records); + return ima_show_counter(buf, count, ppos, &ima_num_records[BINARY]); } static const struct file_operations ima_measurements_count_ops = { diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index 77ad370dbc37..1a0211a12ea4 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -43,7 +43,7 @@ void ima_measure_kexec_event(const char *event_name) int n; buf_size = ima_get_binary_runtime_size(); - len = atomic_long_read(&ima_num_records); + len = atomic_long_read(&ima_num_records[BINARY]); n = scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;" diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index a31b75d9302b..012e725ed4fc 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -32,7 +32,9 @@ static unsigned long binary_runtime_size; static unsigned long binary_runtime_size = ULONG_MAX; #endif -atomic_long_t ima_num_records = ATOMIC_LONG_INIT(0); +atomic_long_t ima_num_records[BINARY__LAST] = { + [0 ... BINARY__LAST - 1] = ATOMIC_LONG_INIT(0) +}; atomic_long_t ima_num_violations = ATOMIC_LONG_INIT(0); /* key: inode (before secure-hashing a file) */ @@ -152,7 +154,7 @@ static int ima_add_digest_entry(struct ima_template_entry *entry, htable = rcu_dereference_protected(ima_htable, lockdep_is_held(&ima_extend_list_mutex)); - atomic_long_inc(&ima_num_records); + atomic_long_inc(&ima_num_records[BINARY]); if (update_htable) { key = ima_hash_key(entry->digests[ima_hash_algo_idx].digest); hlist_add_head_rcu(&qe->hnext, &htable[key]); -- 2.43.0
