diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 27d2ffbd0763f7d49778afd5e239687571e11da6..da03d338961901a2f592025d7612d67a6df70851 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -107,6 +107,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
const unsigned char *filename);
void ima_audit_measurement(struct integrity_iint_cache *iint,
const unsigned char *filename);
+int ima_alloc_init_template(struct integrity_iint_cache *iint,
+ struct file *file, const unsigned char *filename,
+ struct ima_template_entry **entry);
int ima_store_template(struct ima_template_entry *entry, int violation,
struct inode *inode, const unsigned char *filename);
void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a0fe5041310a790a276c792757cba0231cb25cce..29dd43de823a53c9c5d07008af34477d3a1f415e 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -23,6 +23,62 @@
static const char *IMA_TEMPLATE_NAME = "ima";
+/*
+ * ima_alloc_init_template - create and initialize a new template entry
+ */
+int ima_alloc_init_template(struct integrity_iint_cache *iint,
+ struct file *file, const unsigned char *filename,
+ struct ima_template_entry **entry)
+{
+ struct ima_template_entry *e;
+ int result = 0;
+
+ e = kzalloc(sizeof(**entry), GFP_NOFS);
+ if (!e)
+ return -ENOMEM;
+
+ memset(&(e)->template, 0, sizeof(e->template));
+ if (!iint) /* IMA measurement violation entry */
+ goto out;
+
+ if (iint->ima_hash->algo != ima_hash_algo) {
+ struct inode *inode;
+ struct {
+ struct ima_digest_data hdr;
+ char digest[IMA_MAX_DIGEST_SIZE];
+ } hash;
+
+ if (!file) {
+ result = -EINVAL;
+ goto out_free;
+ }
+
+ inode = file_inode(file);
+ hash.hdr.algo = ima_hash_algo;
+ hash.hdr.length = SHA1_DIGEST_SIZE;
+ result = ima_calc_file_hash(file, &hash.hdr);
+ if (result) {
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
+ filename, "collect_data",
+ "failed", result, 0);
+ goto out_free;
+ } else
+ memcpy(e->template.digest, hash.hdr.digest,
+ hash.hdr.length);
+ } else
+ memcpy(e->template.digest, iint->ima_hash->digest,
+ iint->ima_hash->length);
+out:
+ strcpy(e->template.file_name,
+ (strlen(filename) > IMA_EVENT_NAME_LEN_MAX && file != NULL) ?
+ file->f_dentry->d_name.name : filename);
+ *entry = e;
+ return 0;
+out_free:
+ kfree(e);
+ return result;
+}
+
/*
* ima_store_template - store ima template measurements
*
@@ -90,13 +146,11 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
/* can overflow, only indicator */
atomic_long_inc(&ima_htable.violations);
- entry = kmalloc(sizeof(*entry), GFP_KERNEL);
- if (!entry) {
+ result = ima_alloc_init_template(NULL, file, filename, &entry);
+ if (result < 0) {
result = -ENOMEM;
goto err_out;
}
- memset(&entry->template, 0, sizeof(entry->template));
- strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
result = ima_store_template(entry, violation, inode, filename);
if (result < 0)
kfree(entry);
@@ -220,34 +274,12 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
if (iint->flags & IMA_MEASURED)
return;
- entry = kmalloc(sizeof(*entry), GFP_KERNEL);
- if (!entry) {
+ result = ima_alloc_init_template(iint, file, filename, &entry);
+ if (result < 0) {
integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
op, audit_cause, result, 0);
return;
}
- memset(&entry->template, 0, sizeof(entry->template));
- if (iint->ima_hash->algo != ima_hash_algo) {
- struct {
- struct ima_digest_data hdr;
- char digest[IMA_MAX_DIGEST_SIZE];
- } hash;
-
- hash.hdr.algo = ima_hash_algo;
- result = ima_calc_file_hash(file, &hash.hdr);
- if (result)
- integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
- filename, "collect_data", "failed",
- result, 0);
- else
- memcpy(entry->template.digest, hash.hdr.digest,
- hash.hdr.length);
- } else
- memcpy(entry->template.digest, iint->ima_hash->digest,
- iint->ima_hash->length);
- strcpy(entry->template.file_name,
- (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
- file->f_dentry->d_name.name : filename);
result = ima_store_template(entry, violation, inode, filename);
if (!result || result == -EEXIST)
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index d42fac308aaa7ab014a0b1a85bd37e37efb37bce..50e15e6336c4c7e0e8a7aa6fa4b394901478efd3 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -43,34 +43,36 @@ int ima_used_chip;
static void __init ima_add_boot_aggregate(void)
{
struct ima_template_entry *entry;
+ struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
const char *op = "add_boot_aggregate";
const char *audit_cause = "ENOMEM";
int result = -ENOMEM;
- int violation = 1;
+ int violation = 0;
struct {
struct ima_digest_data hdr;
char digest[TPM_DIGEST_SIZE];
} hash;
- entry = kmalloc(sizeof(*entry), GFP_KERNEL);
- if (!entry)
- goto err_out;
+ memset(iint, 0, sizeof(*iint));
+ memset(&hash, 0, sizeof(hash));
+ iint->ima_hash = &hash.hdr;
+ iint->ima_hash->algo = HASH_ALGO_SHA1;
+ iint->ima_hash->length = SHA1_DIGEST_SIZE;
- memset(&entry->template, 0, sizeof(entry->template));
- strncpy(entry->template.file_name, boot_aggregate_name,
- IMA_EVENT_NAME_LEN_MAX);
if (ima_used_chip) {
- violation = 0;
- hash.hdr.algo = HASH_ALGO_SHA1;
result = ima_calc_boot_aggregate(&hash.hdr);
if (result < 0) {
audit_cause = "hashing_error";
kfree(entry);
goto err_out;
}
- memcpy(entry->template.digest, hash.hdr.digest,
- hash.hdr.length);
}
+
+ result = ima_alloc_init_template(iint, NULL, boot_aggregate_name,
+ &entry);
+ if (result < 0)
+ return;
+
result = ima_store_template(entry, violation, NULL,
boot_aggregate_name);
if (result < 0)