ima: Introduce per binary measurements list type ima_num_records counter

Make ima_num_records as an array, to have separate counters per binary
measurements list type. Currently, define the BINARY type for the existing
binary measurements list.

No functional change: the BINARY type is equivalent to the value without
the array.

Link: https://github.com/linux-integrity/linux/issues/1
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 0e41c2113efd331dc7478e85e279e78986d26a81..8f457f2c7b79d90ba7b68e5b3e5241e3490dbaeb 100644 (file)
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -28,6 +28,13 @@ enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
                     IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
 enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
 
+/*
+ * BINARY: current binary measurements list
+ */
+enum binary_lists {
+       BINARY, BINARY__LAST
+};
+
 /* digest size for IMA, fits SHA1 or MD5 */
 #define IMA_DIGEST_SIZE                SHA1_DIGEST_SIZE
 #define IMA_EVENT_NAME_LEN_MAX 255
@@ -326,7 +333,7 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
 extern spinlock_t ima_queue_lock;
 
 /* Total number of measurement list records since hard boot. */
-extern atomic_long_t ima_num_records;
+extern atomic_long_t ima_num_records[BINARY__LAST];
 /* Total number of violations since hard boot. */
 extern atomic_long_t ima_num_violations;
 extern struct hlist_head __rcu *ima_htable;

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 523d3e81f631314dcb78b7d4d5d6b1c06fb2fee2..fcfcf7b6eae297a01449dbfbf465d3e2c173cbb9 100644 (file)
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -63,7 +63,7 @@ static ssize_t ima_show_measurements_count(struct file *filp,
                                           char __user *buf,
                                           size_t count, loff_t *ppos)
 {
-       return ima_show_counter(buf, count, ppos, &ima_num_records);
+       return ima_show_counter(buf, count, ppos, &ima_num_records[BINARY]);
 }
 
 static const struct file_operations ima_measurements_count_ops = {

diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 77ad370dbc37573b7ecc7c00e98649ae6c0662c2..1a0211a12ea4f01abfceb05bd62b5d6e409abf74 100644 (file)
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -43,7 +43,7 @@ void ima_measure_kexec_event(const char *event_name)
        int n;
 
        buf_size = ima_get_binary_runtime_size();
-       len = atomic_long_read(&ima_num_records);
+       len = atomic_long_read(&ima_num_records[BINARY]);
 
        n = scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN,
                      "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;"

diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index a31b75d9302b0fc19fc9e5b0781bc6b13ce742f1..012e725ed4fc2e9179f3d75c8c1854ba4ba7c874 100644 (file)
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -32,7 +32,9 @@ static unsigned long binary_runtime_size;
 static unsigned long binary_runtime_size = ULONG_MAX;
 #endif
 
-atomic_long_t ima_num_records = ATOMIC_LONG_INIT(0);
+atomic_long_t ima_num_records[BINARY__LAST] = {
+       [0 ... BINARY__LAST - 1] = ATOMIC_LONG_INIT(0)
+};
 atomic_long_t ima_num_violations = ATOMIC_LONG_INIT(0);
 
 /* key: inode (before secure-hashing a file) */
@@ -152,7 +154,7 @@ static int ima_add_digest_entry(struct ima_template_entry *entry,
        htable = rcu_dereference_protected(ima_htable,
                                lockdep_is_held(&ima_extend_list_mutex));
 
-       atomic_long_inc(&ima_num_records);
+       atomic_long_inc(&ima_num_records[BINARY]);
        if (update_htable) {
                key = ima_hash_key(entry->digests[ima_hash_algo_idx].digest);
                hlist_add_head_rcu(&qe->hnext, &htable[key]);