tpm: ima: Implement vTPM connect to IMA

Signed-off-by: Stefan Berger <[email protected]>

Author: stefanberger

libcontainer/container_linux.go

@@ -1640,6 +1640,15 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 		Value: uint32(cloneFlags),
 	})
 
+	// write vTPM file descriptor
+	if len(c.config.VTPMs) > 0 {
+		vtpmfd := c.config.VTPMs[0].GetAnonFD()
+		r.AddData(&Int32msg{
+			Type:  VTpmFDAttr,
+			Value: uint32(vtpmfd),
+		})
+	}
+
 	// write custom namespace paths
 	if len(nsMaps) > 0 {
 		nsPaths, err := c.orderNamespacePaths(nsMaps)

libcontainer/message_linux.go

@@ -18,6 +18,7 @@ const (
 	SetgroupAttr    uint16 = 27285
 	OomScoreAdjAttr uint16 = 27286
 	RootlessAttr    uint16 = 27287
+	VTpmFDAttr	uint16 = 27288
 )
 
 type Int32msg struct {

libcontainer/nsenter/nsexec.c

@@ -75,8 +75,12 @@ struct nlconfig_t {
 	uint8_t is_rootless;
 	char *oom_score_adj;
 	size_t oom_score_adj_len;
+	int32_t vtpmfd;
 };
 
+/* ioctl for vtpm proxy device */
+#define VTPM_PROXY_IOC_TRANSFER_IMA  _IO(0xa1, 0x10)
+
 /*
  * List of netlink message types sent to us as part of bootstrapping the init.
  * These constants are defined in libcontainer/message_linux.go.
@@ -89,6 +93,7 @@ struct nlconfig_t {
 #define SETGROUP_ATTR		27285
 #define OOM_SCORE_ADJ_ATTR	27286
 #define ROOTLESS_ATTR	    27287
+#define VTPMFD_ATTR		27288
 
 /*
  * Use the raw syscall for versions of glibc which don't include a function for
@@ -353,6 +358,9 @@ static void nl_parse(int fd, struct nlconfig_t *config)
 		case SETGROUP_ATTR:
 			config->is_setgroup = readint8(current);
 			break;
+		case VTPMFD_ATTR:
+			config->vtpmfd = readint32(current);
+			break;
 		default:
 			bail("unknown netlink message type %d", nlattr->nla_type);
 		}
@@ -431,12 +439,22 @@ void join_namespaces(char *nslist)
 	free(namespaces);
 }
 
+void ima_namespace_set_vtpm(int vtpmfd)
+{
+	int n = ioctl(vtpmfd, VTPM_PROXY_IOC_TRANSFER_IMA);
+	/* ENOTTY: driver too old */
+	if (n && n != ENOTTY) {
+//		bail("Error transferring VTPM to IMA: %s", strerror(errno));
+	}
+}
+
 void nsexec(void)
 {
 	int pipenum;
 	jmp_buf env;
 	int sync_child_pipe[2], sync_grandchild_pipe[2];
 	struct nlconfig_t config = {0};
+	config.vtpmfd = -1;
 
 	/*
 	 * If we don't have an init pipe, just return to the go routine.
@@ -713,6 +731,7 @@ void nsexec(void)
 			if (config.namespaces)
 				join_namespaces(config.namespaces);
 
+
 			/*
 			 * Unshare all of the namespaces. Now, it should be noted that this
 			 * ordering might break in the future (especially with rootless
@@ -726,6 +745,8 @@ void nsexec(void)
 			if (unshare(config.cloneflags) < 0)
 				bail("failed to unshare namespaces");
 
+			if (config.vtpmfd > 0)
+				ima_namespace_set_vtpm(config.vtpmfd);
 			/*
 			 * Deal with user namespaces first. They are quite special, as they
 			 * affect our ability to unshare other namespaces and are used as