summaryrefslogtreecommitdiffstats
path: root/security/ipe/audit.c
diff options
context:
space:
mode:
authorDeven Bowers <deven.desai@linux.microsoft.com>2024-08-02 23:08:27 -0700
committerPaul Moore <paul@paul-moore.com>2024-08-20 14:02:45 -0400
commite155858dd99523d4afe0f74e9c26e4f4499eb5af (patch)
tree4e9034938934ccc58d6f10aff42616140392afe2 /security/ipe/audit.c
parenta6af7bc3d72ff52c5526a392144347fcb3094149 (diff)
downloadlinux-e155858dd99523d4afe0f74e9c26e4f4499eb5af.tar.gz
linux-e155858dd99523d4afe0f74e9c26e4f4499eb5af.tar.bz2
linux-e155858dd99523d4afe0f74e9c26e4f4499eb5af.zip
ipe: add support for dm-verity as a trust provider
Allows author of IPE policy to indicate trust for a singular dm-verity volume, identified by roothash, through "dmverity_roothash" and all signed and validated dm-verity volumes, through "dmverity_signature". Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> [PM: fixed some line length issues in the comments] Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/ipe/audit.c')
-rw-r--r--security/ipe/audit.c29
1 files changed, 27 insertions, 2 deletions
diff --git a/security/ipe/audit.c b/security/ipe/audit.c
index 5af150d99d63..8e21879e96c7 100644
--- a/security/ipe/audit.c
+++ b/security/ipe/audit.c
@@ -13,6 +13,7 @@
#include "hooks.h"
#include "policy.h"
#include "audit.h"
+#include "digest.h"
#define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY")
@@ -52,9 +53,23 @@ static const char *const audit_hook_names[__IPE_HOOK_MAX] = {
static const char *const audit_prop_names[__IPE_PROP_MAX] = {
"boot_verified=FALSE",
"boot_verified=TRUE",
+ "dmverity_roothash=",
+ "dmverity_signature=FALSE",
+ "dmverity_signature=TRUE",
};
/**
+ * audit_dmv_roothash() - audit the roothash of a dmverity_roothash property.
+ * @ab: Supplies a pointer to the audit_buffer to append to.
+ * @rh: Supplies a pointer to the digest structure.
+ */
+static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh)
+{
+ audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_DMV_ROOTHASH]);
+ ipe_digest_audit(ab, rh);
+}
+
+/**
* audit_rule() - audit an IPE policy rule.
* @ab: Supplies a pointer to the audit_buffer to append to.
* @r: Supplies a pointer to the ipe_rule to approximate a string form for.
@@ -65,8 +80,18 @@ static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r)
audit_log_format(ab, " rule=\"op=%s ", audit_op_names[r->op]);
- list_for_each_entry(ptr, &r->props, next)
- audit_log_format(ab, "%s ", audit_prop_names[ptr->type]);
+ list_for_each_entry(ptr, &r->props, next) {
+ switch (ptr->type) {
+ case IPE_PROP_DMV_ROOTHASH:
+ audit_dmv_roothash(ab, ptr->value);
+ break;
+ default:
+ audit_log_format(ab, "%s", audit_prop_names[ptr->type]);
+ break;
+ }
+
+ audit_log_format(ab, " ");
+ }
audit_log_format(ab, "action=%s\"", ACTSTR(r->action));
}