Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\integrity\ima\ima_main.c Create Date:2022-07-28 19:58:17
Last Modify:2020-03-12 14:18:49 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:process_measurement

Proto:static int process_measurement(struct file *file, const struct cred *cred, unsigned int secid, char *buf, loff_t size, int mask, enum ima_hooks func)

Type:int

Parameter:

TypeParameterName
struct file *file
const struct cred *cred
unsigned intsecid
char *buf
loff_tsize
intmask
enum ima_hooksfunc
196  inode = file_inode(file)
197  struct integrity_iint_cache * iint = NULL
198  struct ima_template_desc * template_desc = NULL
199  char * pathbuf = NULL
201  const char * pathname = NULL
202  rc = 0 , must_appraise = 0
203  pcr = CONFIG_IMA_MEASURE_PCR_IDX
204  struct evm_ima_xattr_data * xattr_value = NULL
205  struct modsig * modsig = NULL
206  xattr_len = 0
210  If Not current content of the policy || Not S_ISREG(i_mode) Then Return 0
217  action = LIM API function definitions
219  violation_check = ( func == FILE_CHECK || func == MMAP_CHECK ) && current content of the policy & action cache flags
221  If Not action && Not violation_check Then Return 0
224  must_appraise = action & IMA_APPRAISE
227  If action & subaction appraise cache flags Then func = FILE_CHECK
230  inode_lock(inode)
232  If action Then
233  iint = grity_inode_get - find or allocate an iint associated with an inode*@inode: pointer to the inode*@return: allocated iint* Caller must lock i_mutex
234  If Not iint Then rc = -ENOMEM
238  If Not rc && violation_check Then ma_rdwr_violation_check* Only invalidate the PCR for measured files:* - Opening a file for write when already open for read,* results in a time of measure, time of use (ToMToU) error.* - Opening a file for read when already open for write,
242  inode_unlock(inode)
244  If rc Then Go to out
246  If Not action Then Go to out
249  mutex_lock( & protects: version, flags, digest )
251  If st_and_clear_bit - Clear a bit and return its old value*@nr: Bit to clear*@addr: Address to count from* This is an atomic fully-ordered operation (implied full memory barrier). Then flags &= ~( IMA_APPRAISE | IMA_APPRAISED | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | cache flags )
262  If st_and_clear_bit - Clear a bit and return its old value*@nr: Bit to clear*@addr: Address to count from* This is an atomic fully-ordered operation (implied full memory barrier). || s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE && Not (s_iflags & SB_I_UNTRUSTED_MOUNTER) && Not (action & IMA_FAIL_UNVERIFIABLE_SIGS) Then
266  flags &= ~IMA_DONE_MASK
267  measured_pcrs = 0
274  flags |= action
275  action &= IMA_DO_MASK
276  action &= ~((flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1)
279  If action & action cache flags && measured_pcrs & 0x1 << pcr Then action ^= action cache flags
283  If action & IMA_HASH && Not st_bit - Determine whether a bit is set*@nr: bit number to test*@addr: Address to start counting from Then
285  xattr_len = ima_read_xattr(file_dentry(file), & xattr_value)
286  If xattr_value && xattr_len > 2 && type == EVM_IMA_XATTR_DIGSIG Then Atomically set a bit in memory
289  flags |= IMA_HASHED
290  action ^= IMA_HASH
291  Atomically set a bit in memory
295  If Not action Then
296  If must_appraise Then
297  rc = Prevent mmap'ing a file execute that is already mmap'ed write
299  If Not rc Then rc = ima_get_cache_status(iint, func)
302  Go to out_locked
305  If action & IMA_APPRAISE_SUBMASK || strcmp(name, IMA_TEMPLATE_IMA_NAME) != 0 Then
308  xattr_len = ima_read_xattr(file_dentry(file), & xattr_value)
315  If flags & IMA_MODSIG_ALLOWED Then
316  rc = ima_read_modsig(func, buf, size, & modsig)
318  If Not rc && ima_template_has_modsig(template_desc) && flags & IMA_MEASURED Then action |= action cache flags
324  hash_algo = ima_get_hash_algo(xattr_value, xattr_len)
326  rc = ma_collect_measurement - collect file measurement* Calculate the file hash, if it doesn't already exist,* storing the measurement and i_version in the iint.* Must be called with iint->mutex held.* Return 0 on success, error code otherwise
327  If rc != 0 && rc != -EBADF && rc != -EINVAL Then Go to out_locked
330  If Not pathbuf Then pathname = ima_d_path( & f_path, & pathbuf, filename)
333  If action & action cache flags Then ma_store_measurement - store file measurement* Create an "ima" template and then store the template by calling* ima_store_template
337  If rc == 0 && action & IMA_APPRAISE_SUBMASK Then
338  rc = ma_check_blacklist - determine if the binary is blacklisted.* Add the hash of the blacklisted binary to the measurement list, based* on policy.* Returns -EPERM if the hash is blacklisted.
339  If rc != -EPERM Then
340  inode_lock(inode)
341  rc = ma_appraise_measurement - appraise file measurement* Call evm_verifyxattr() to verify the integrity of 'security.ima'.* Assuming success, compare the xattr hash with the collected measurement.* Return 0 on success, error code otherwise
344  inode_unlock(inode)
346  If Not rc Then rc = Prevent mmap'ing a file execute that is already mmap'ed write
350  If action & IMA_AUDIT Then ima_audit_measurement(iint, pathname)
353  If f_flags & O_DIRECT && flags & IMA_PERMIT_DIRECTIO Then rc = 0
355  out_locked :
356  If mask & MAY_WRITE && st_bit - Determine whether a bit is set*@nr: bit number to test*@addr: Address to start counting from && Not (flags & IMA_NEW_FILE) Then rc = -EACCES
359  mutex_unlock - release the mutex*@lock: the mutex to be released* Unlock a mutex that has been locked by this task previously.* This function must not be used in interrupt context. Unlocking* of a not locked mutex is not allowed.
360  kfree(xattr_value)
361  ima_free_modsig(modsig)
362  out :
363  If pathbuf Then __putname(pathbuf)
365  If must_appraise Then
366  If rc && ima_appraise & Appraise integrity measurements Then Return -EACCES
368  If f_mode & le is open for writing Then Atomically set a bit in memory
371  Return 0
Caller
NameDescribe
ima_file_mmapma_file_mmap - based on policy, collect/store measurement.*@file: pointer to the file to be measured (May be NULL)*@prot: contains the protection that will be applied by the kernel.* Measure files being mmapped executable based on the ima_must_measure()
ima_bprm_checkma_bprm_check - based on policy, collect/store measurement.*@bprm: contains the linux_binprm structure* The OS protects against an executable file, already open for write,* from being executed in deny_write_access() and an executable file,
ima_file_checkma_path_check - based on policy, collect/store measurement.*@file: pointer to the file to be measured*@mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND* Measure files based on the ima_must_measure() policy decision.* On success return 0
ima_post_read_filema_post_read_file - in memory collect/appraise/audit measurement*@file: pointer to the file to be measured/appraised/audit*@buf: pointer to in memory file contents*@size: size of in memory file contents*@read_id: caller identifier