Skip to content

Commit cb1aa38

Browse files
nramasmimizohar
nramas
authored and
mimizohar
committed
KEYS: Call the IMA hook to measure keys
Call the IMA hook from key_create_or_update() function to measure the payload when a new key is created or an existing key is updated. This patch adds the call to the IMA hook from key_create_or_update() function to measure the key on key create or update. Signed-off-by: Lakshmi Ramasubramanian <[email protected]> Cc: David Howells <[email protected]> Cc: Jarkko Sakkinen <[email protected]> Signed-off-by: Mimi Zohar <[email protected]>
1 parent 88e70da commit cb1aa38

File tree

2 files changed

+24
-0
lines changed

2 files changed

+24
-0
lines changed

include/linux/ima.h

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,20 @@ static inline void ima_add_kexec_buffer(struct kimage *image)
101101
{}
102102
#endif
103103

104+
#if defined(CONFIG_IMA) && defined(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE)
105+
extern void ima_post_key_create_or_update(struct key *keyring,
106+
struct key *key,
107+
const void *payload, size_t plen,
108+
unsigned long flags, bool create);
109+
#else
110+
static inline void ima_post_key_create_or_update(struct key *keyring,
111+
struct key *key,
112+
const void *payload,
113+
size_t plen,
114+
unsigned long flags,
115+
bool create) {}
116+
#endif /* CONFIG_IMA && CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE */
117+
104118
#ifdef CONFIG_IMA_APPRAISE
105119
extern bool is_ima_appraise_enabled(void);
106120
extern void ima_inode_post_setattr(struct dentry *dentry);

security/keys/key.c

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
#include <linux/security.h>
1414
#include <linux/workqueue.h>
1515
#include <linux/random.h>
16+
#include <linux/ima.h>
1617
#include <linux/err.h>
1718
#include "internal.h"
1819

@@ -936,6 +937,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
936937
goto error_link_end;
937938
}
938939

940+
ima_post_key_create_or_update(keyring, key, payload, plen,
941+
flags, true);
942+
939943
key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
940944

941945
error_link_end:
@@ -965,6 +969,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
965969
}
966970

967971
key_ref = __key_update(key_ref, &prep);
972+
973+
if (!IS_ERR(key_ref))
974+
ima_post_key_create_or_update(keyring, key,
975+
payload, plen,
976+
flags, false);
977+
968978
goto error_free_prep;
969979
}
970980
EXPORT_SYMBOL(key_create_or_update);

0 commit comments

Comments
 (0)