Re: [RFC][PATCH 4/5] integrity: Linux Integrity Module(LIM)

From: James Morris <jmorris@xxxxxxxxx>
Date: Mon, 30 Jun 2008 20:43:20 +1000 (EST)

On Fri, 27 Jun 2008, Mimi Zohar wrote:

+const struct integrity_operations *integrity_ops = NULL;

This will be initialized to zero anyway.

+
+ if (!template_initialized++)
+ INIT_LIST_HEAD(&integrity_templates);

Why not just intialize this at compile time with LIST_HEAD ?

+ template_len = strlen(template_name);
+ if (template_len > TEMPLATE_NAME_LEN_MAX)
+ template_len = TEMPLATE_NAME_LEN_MAX;
+ memcpy(entry->template_name, template_name, template_len);
+ entry->template_name[template_len] = '\0';

Perhaps this would be simpler if you just bail with -EINVAL if the length
is too great. Then you can use strcpy and don't need to nul termiate the
string for the caller.

+ rc = integrity_find_template(template_name, &template_ops);
+ if (rc == 0) {
+ rc = template_ops->collect_measurement(data);
+ rcu_read_unlock();
+ return rc;
+ }
+ rcu_read_unlock();
+ return -EINVAL;
+}

If you give integrity_find_template() a standard form of returning 0 on
success and -errno on failure, you can simplify the above quite a lot to
have one unlock and one return.

+ int rc;
+
+ rcu_read_lock();
+ rc = integrity_find_template(template_name, &template_ops);
+ if (rc == 0) {
+ rc = template_ops->appraise_measurement(data);
+ rcu_read_unlock();
+ return rc;
+ }
+ rcu_read_unlock();
+ return -EINVAL;
+}

Ditto.

+
+EXPORT_SYMBOL_GPL(integrity_appraise_measurement);
+
+/**
+ * integrity_store_measurement - store template specific measurement
+ * @template_name: a pointer to a string containing the template name.
+ * @data: pointer to template specific data
+ *
+ * Store template specific integrity measurement.
+ */
+void integrity_store_measurement(const char *template_name, void *data)
+{
+ const struct template_operations *template_ops;
+ int rc;
+
+ rcu_read_lock();
+ rc = integrity_find_template(template_name, &template_ops);
+ if (rc == 0)
+ template_ops->store_measurement(data);
+ rcu_read_unlock();
+ return;
+}

So, the caller does not get an error if they supply an invalid template
name? That sounds like a bug which they need to know about.

+/**
+ * integrity_must_measure - measure decision based on template policy
+ * @template_name: a pointer to a string containing the template name.
+ * @data: pointer to template specific data
+ *
+ * Returns 0 on success, an error code on failure.
+ */
+int integrity_must_measure(const char *template_name, void *data)
+{
+ const struct template_operations *template_ops;
+ int rc;
+
+ rcu_read_lock();
+ rc = integrity_find_template(template_name, &template_ops);
+ if (rc == 0) {
+ rc = template_ops->must_measure(data);
+ rcu_read_unlock();
+ return rc;
+ }
+ rcu_read_unlock();
+ return -EINVAL;
+}

Do a single unlock and return.

+/* Hook used to measure executable file integrity. */
+int integrity_bprm_check(struct linux_binprm *bprm)
+{
+ int rc = 0;
+
+ if (integrity_ops && integrity_ops->bprm_check_integrity)
+ rc = integrity_ops->bprm_check_integrity(bprm);
+ return rc;
+}

Have you considered using a set of dummy ops similar to LSM, so that
integrity_ops->whatever will always point to something and can be
unconditionally called? (see security_fixup_ops()).

- James
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Follow-Ups:
- Re: [RFC][PATCH 4/5] integrity: Linux Integrity Module(LIM)
  - From: Mimi Zohar

References:
- [RFC][PATCH 4/5] integrity: Linux Integrity Module(LIM)
  - From: Mimi Zohar

Prev by Date: Re: linux-next: Tree for June 13: IO APIC breakage on HP nx6325
Next by Date: Re: [PATCH] x86: Add PCI IDs for AMD Barcelona PCI devices
Previous by thread: [RFC][PATCH 4/5] integrity: Linux Integrity Module(LIM)
Next by thread: Re: [RFC][PATCH 4/5] integrity: Linux Integrity Module(LIM)
Index(es):
- Date
- Thread

Relevant Pages

Re: Item 42 of Effective C++
... > variable in the class are of the template type? ... several times does not lead to code bloat, and that is probably also not ... void pointer. ... believe at least knowing a bit of assembler helps a lot for understanding ...
(alt.comp.lang.learn.c-cpp)
Re: The Decline of C/C++, the rise of X
... > tend to be most useful for encoding Boolean values in data structures ... to freea pointer obtained from the gc, ... >> to be a useful attribute of a language. ... Template arguments are evaluated in the scope of the point of instantiation, ...
(comp.programming)
Re: null assignment in a template
... My question is about template programming ... and declare the value in its explicit ... An assignment operator taking an int and one ... taking a pointer? ...
(microsoft.public.vc.stl)
Re: null assignment in a template
... // this template won't compile due to the fact that it is illegal to ... and declare the value in its explicit ... delcares a single ctor to force the client to have to declare an initial value for said variable, as oppossed to Inialisedwhich allows for a compile-time constant initialization value to be specified in the template parameters themselves. ... taking a pointer? ...
(microsoft.public.vc.stl)
Re: Formating changes using the macro to merge letters to separate fil
... The exact error code is 4605 command not available. ... Would i change the path to correspond where the template is? ... The macro creates a new document for each record based on normal.dot. ... Word MVP web site http://word.mvps.org ...
(microsoft.public.word.mailmerge.fields)