diff --git a/Add-the-owner-of-file-operations.patch b/Add-the-owner-of-file-operations.patch new file mode 100644 index 0000000000000000000000000000000000000000..c3f2510a9540cb46c0afa33b062d1543eec6b1ac --- /dev/null +++ b/Add-the-owner-of-file-operations.patch @@ -0,0 +1,50 @@ +From 76d06390a9adf3ae70aaa87e9243c42d848975a4 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 18 Sep 2023 20:19:05 +0800 +Subject: [PATCH] Add the owner of file operations + +Fix the concurrent issues with removing module and +accessing interfaces. +--- + src/common/dim_entry.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/common/dim_entry.h b/src/common/dim_entry.h +index 17e6420..acfc3a0 100644 +--- a/src/common/dim_entry.h ++++ b/src/common/dim_entry.h +@@ -49,6 +49,7 @@ static ssize_t sname##_trigger(struct file *file, \ + } \ + \ + static const struct file_operations sname##_ops = { \ ++ .owner = THIS_MODULE, \ + .write = sname##_trigger, \ + .llseek = generic_file_llseek, \ + }; \ +@@ -99,6 +100,7 @@ static int sname##_open(struct inode *inode, struct file *file) \ + } \ + \ + static const struct file_operations sname##_ops = { \ ++ .owner = THIS_MODULE, \ + .open = sname##_open, \ + .read = seq_read, \ + .llseek = seq_lseek, \ +@@ -129,6 +131,7 @@ static ssize_t sname##_read(struct file *file, \ + } \ + \ + static const struct file_operations sname##_ops = { \ ++ .owner = THIS_MODULE, \ + .read = sname##_read, \ + .llseek = generic_file_llseek, \ + }; \ +@@ -173,6 +176,7 @@ static ssize_t sname##_write(struct file *file, \ + } \ + \ + static const struct file_operations sname##_ops = { \ ++ .owner = THIS_MODULE, \ + .read = sname##_read, \ + .write = sname##_write, \ + .llseek = generic_file_llseek, \ +-- +2.27.0 + diff --git a/Limit-the-max-line-number-of-policy-and-baseline-par.patch b/Limit-the-max-line-number-of-policy-and-baseline-par.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c7206d7804f52cb58db5ac1dd6aeffa05f0663b --- /dev/null +++ b/Limit-the-max-line-number-of-policy-and-baseline-par.patch @@ -0,0 +1,183 @@ +From 5c57ec04ec4208a968d490dfedd72319c8518e01 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 14 Sep 2023 12:26:29 +0800 +Subject: [PATCH] Limit the max line number of policy and baseline parsing + +1. Limit the max file line number to 10000, the excess lines +will be ignored; +2. Remove some unused macro definitions; +3. Change some macro names. + +Signed-off-by: Huaxin Lu +--- + doc/manual.md | 9 +++++---- + src/common/dim_utils.c | 10 ++++++++-- + src/core/dim_core_policy.c | 6 ++++++ + src/core/dim_core_policy.h | 2 +- + src/core/dim_core_static_baseline.c | 16 +++++++++++----- + src/core/dim_core_static_baseline.h | 22 +++++++--------------- + 6 files changed, 38 insertions(+), 27 deletions(-) + +diff --git a/doc/manual.md b/doc/manual.md +index a8f94e4..1a20742 100644 +--- a/doc/manual.md ++++ b/doc/manual.md +@@ -52,10 +52,11 @@ DIM特性通过在程序运行时对内存中的关键数据(如代码段、 + + ### 1.3 规格约束 + +-| 规格项 | 值 | +-| ------------------------------------------------------------ | ---- | +-| 文件大小上限(策略文件、静态基线文件、签名文件、证书文件) | 10MB | +-| 同一个度量目标在一次动态基线后多次度量期间最多记录的篡改度量日志条数 | 10条 | ++| 规格项 | 值 | ++| ------------------------------------------------------------ | ------- | ++| 文件大小上限(策略文件、静态基线文件、签名文件、证书文件) | 10MB | ++| 文件行数上限(策略文件、静态基线文件) | 10000行 | ++| 同一个度量目标在一次动态基线后多次度量期间最多记录的篡改度量日志条数 | 10条 | + + ### 1.4 架构说明 + +diff --git a/src/common/dim_utils.c b/src/common/dim_utils.c +index 83ed967..75b58fc 100644 +--- a/src/common/dim_utils.c ++++ b/src/common/dim_utils.c +@@ -83,8 +83,14 @@ int dim_parse_line_buf(char *buf, loff_t len, int (*line_parser)(char *, int)) + ret = line_parser(line_buf, line_no); + } + +- if (ret < 0) ++ if (ret < 0) { ++ /* ++ * if the parser returns -E2BIG, means the line number ++ * is too large, the excess lines will be ignored. ++ */ ++ ret = (ret == -E2BIG) ? 0 : ret; + goto out; ++ } + + line_no++; + } +@@ -93,4 +99,4 @@ out: + kfree(line_buf); + + return ret; +-} +\ No newline at end of file ++} +diff --git a/src/core/dim_core_policy.c b/src/core/dim_core_policy.c +index b501de4..a3fa369 100644 +--- a/src/core/dim_core_policy.c ++++ b/src/core/dim_core_policy.c +@@ -170,6 +170,12 @@ static int policy_parse_line(char* line, int line_no) + int key = 0; + const char *val = NULL; + ++ if (line_no > DIM_POLICY_LINE_MAX) { ++ dim_warn("more than %d policy items will be ignored\n", ++ DIM_POLICY_LINE_MAX); ++ return -E2BIG; ++ } ++ + if (strlen(line) == 0 || line[0] == '#') + return 0; /* ignore blank line and comment */ + +diff --git a/src/core/dim_core_policy.h b/src/core/dim_core_policy.h +index 0f0de91..48c6f41 100644 +--- a/src/core/dim_core_policy.h ++++ b/src/core/dim_core_policy.h +@@ -6,7 +6,7 @@ + #define __DIM_CORE_POLICY_H + + #define DIM_POLICY_PATH "/etc/dim/policy" +-#define DIM_MAX_POLICY_NUMBER 100000 ++#define DIM_POLICY_LINE_MAX 10000 + + /* policy key */ + #define DIM_POLICY_MEASURE "measure" +diff --git a/src/core/dim_core_static_baseline.c b/src/core/dim_core_static_baseline.c +index ebe6db8..f779da1 100644 +--- a/src/core/dim_core_static_baseline.c ++++ b/src/core/dim_core_static_baseline.c +@@ -57,16 +57,22 @@ static int parse_simple_baseline_line(char* line, int line_no) + char *line_str = line; + struct dim_digest digest = { 0 }; + ++ if (line_no > DIM_STATIC_BASELINE_LINE_MAX) { ++ dim_warn("more than %d baseline items will be ignored\n", ++ DIM_STATIC_BASELINE_LINE_MAX); ++ return -E2BIG; ++ } ++ + if (strlen(line) == 0 || line[0] == '#') + return 0; /* ignore blank line and comment */ + +- if (strlen(line) > DIM_BASELINE_MAX_LEN) { ++ if (strlen(line) > DIM_STATIC_BASELINE_LEN_MAX) { + dim_err("overlength item at line %d\n", line_no); + return 0; /* ignore baseline parsing failed */ + } + + if ((p = strsep(&line_str, " ")) == NULL || +- strcmp(p, DIM_BASELINE_PREFIX) != 0) { ++ strcmp(p, DIM_STATIC_BASELINE_PREFIX) != 0) { + dim_warn("invalid baseline prefix at line %d\n", line_no); + return 0; + } +@@ -167,16 +173,16 @@ int dim_core_static_baseline_load(void) + .path = &kpath, + }; + +- ret = kern_path(DIM_BASELINE_ROOT, LOOKUP_DIRECTORY, &kpath); ++ ret = kern_path(DIM_STATIC_BASELINE_ROOT, LOOKUP_DIRECTORY, &kpath); + if (ret < 0) { + dim_err("fail to get dim baseline root path: %d", ret); + return ret; + } + +- file = filp_open(DIM_BASELINE_ROOT, O_RDONLY | O_DIRECTORY, 0); ++ file = filp_open(DIM_STATIC_BASELINE_ROOT, O_RDONLY | O_DIRECTORY, 0); + if (IS_ERR(file)) { + ret = PTR_ERR(file); +- dim_err("fail to open %s: %d\n", DIM_BASELINE_ROOT, ret); ++ dim_err("fail to open %s: %d\n", DIM_STATIC_BASELINE_ROOT, ret); + path_put(&kpath); + return ret; + } +diff --git a/src/core/dim_core_static_baseline.h b/src/core/dim_core_static_baseline.h +index 0691934..bec37d6 100644 +--- a/src/core/dim_core_static_baseline.h ++++ b/src/core/dim_core_static_baseline.h +@@ -5,22 +5,14 @@ + #ifndef __DIM_CORE_STATIC_BASELINE_H + #define __DIM_CORE_STATIC_BASELINE_H + +-#define DIM_BASELINE_ROOT "/etc/dim/digest_list" +- +-/* key field in baseline json file */ +-#define KEY_PRODUCTS "products" +-#define KEY_FILES "ccFiles" +-#define KEY_FPATCHES "patches" +-#define KEY_FILENAME "fileName" +-#define KEY_FILETYPE "fileType" +-#define KEY_PATCH_FILES "files" +-#define KEY_SHA256 "sha256" +- +-#define DIM_BASELINE_PREFIX "dim" +- /* dim KERNEL sha256:{digest} {PATH_MAX}\n*/ +- #define DIM_BASELINE_MAX_LEN (strlen(DIM_BASELINE_PREFIX) + 1 + \ +- NAME_MAX + 1 + NAME_MAX + 1 + PATH_MAX + 1 + 1) ++#define DIM_STATIC_BASELINE_ROOT "/etc/dim/digest_list" ++#define DIM_STATIC_BASELINE_LINE_MAX 10000 + ++#define DIM_STATIC_BASELINE_PREFIX "dim" ++/* dim KERNEL sha256:{digest} {PATH_MAX}\n*/ ++#define DIM_STATIC_BASELINE_LEN_MAX (strlen(DIM_STATIC_BASELINE_PREFIX) + 1 + \ ++ NAME_MAX + 1 + NAME_MAX + 1 + \ ++ PATH_MAX + 1 + 1) + + int dim_core_static_baseline_load(void); + +-- +2.33.0 + diff --git a/README.en.md b/README.en.md deleted file mode 100644 index 6057afd88ea64d50f2d661db1b3c30ffddd0aac4..0000000000000000000000000000000000000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# dim_kernel - -#### Description -DIM kernel subsystem - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index 60cfbfeea9972c0a46c21d9bba1258b58661cee6..0000000000000000000000000000000000000000 --- a/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# dim_kernel - -#### 介绍 -DIM kernel subsystem - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. Gitee 官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解 Gitee 上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是 Gitee 最有价值开源项目,是综合评定出的优秀开源项目 -5. Gitee 官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/Use-jiffies64-interface-to-set-measure-interval.patch b/Use-jiffies64-interface-to-set-measure-interval.patch new file mode 100644 index 0000000000000000000000000000000000000000..12e828d2a9fc0508af89b0e121c6243ce6020160 --- /dev/null +++ b/Use-jiffies64-interface-to-set-measure-interval.patch @@ -0,0 +1,104 @@ +From b401815cca8d7d8beddba4726ccafee047f05205 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 14 Sep 2023 14:22:10 +0800 +Subject: [PATCH] Use jiffies64 interface to set measure interval + +The max measure interval is designed to 1 year. So using +msecs_to_jeffies may cause a overflow. + +Signed-off-by: Huaxin Lu +--- + src/core/dim_core_measure.c | 39 ++++++++++++++++++++++++------------- + src/core/dim_core_measure.h | 3 ++- + 2 files changed, 27 insertions(+), 15 deletions(-) + +diff --git a/src/core/dim_core_measure.c b/src/core/dim_core_measure.c +index e0042eb..59e2cf8 100644 +--- a/src/core/dim_core_measure.c ++++ b/src/core/dim_core_measure.c +@@ -36,7 +36,7 @@ bool tampered_action = false; + + /* time (jiffies) to set */ + unsigned long measure_schedule_jiffies = 0; +-static atomic_t measure_interval_jiffies = ATOMIC_INIT(0); ++static unsigned long measure_interval_jiffies = 0; + + struct dim_tpm dim_core_tpm = { 0 }; + struct dim_hash dim_core_hash = { 0 }; +@@ -52,27 +52,38 @@ long dim_core_interval_get(void) + return p; + } + +-int dim_core_interval_set(unsigned int p) ++unsigned long dim_core_interval_jiffies_get(void) + { +- unsigned long p_jiffies = 0; ++ unsigned long p = 0; + +- if (p > DIM_INTERVAL_MAX) +- return -ERANGE; ++ mutex_lock(&dim_core_interval_lock); ++ p = measure_interval_jiffies; ++ mutex_unlock(&dim_core_interval_lock); ++ return p; ++} ++ ++int dim_core_interval_set(unsigned int min) ++{ ++ unsigned long min_jiffies = 0; + +- p_jiffies = msecs_to_jiffies(p * DIM_MINUTE_TO_MSEC); +- if (p_jiffies == MAX_JIFFY_OFFSET) ++ if (min > DIM_INTERVAL_MAX || ++ (unsigned long)min * DIM_MINUTE_TO_SEC > MAX_SEC_IN_JIFFIES) + return -ERANGE; + ++ min_jiffies = (min == 0) ? 0 : ++ nsecs_to_jiffies64((unsigned long)min * DIM_MINUTE_TO_NSEC); ++ + mutex_lock(&dim_core_interval_lock); +- measure_interval = p; +- atomic_set(&measure_interval_jiffies, p_jiffies); +- if (p_jiffies == 0) { ++ measure_interval = min; ++ measure_interval_jiffies = min_jiffies; ++ if (measure_interval == 0) { + dim_info("cancel dim timed measure work"); + cancel_delayed_work_sync(&dim_measure_work); + } else { +- dim_info("modify dim measure interval to %u min (jittfies = %lu)", +- p, p_jiffies); +- mod_delayed_work(dim_work_queue, &dim_measure_work, p_jiffies); ++ dim_info("modify dim measure interval to %u min " ++ "(jittfies = 0x%lx)", min, min_jiffies); ++ mod_delayed_work(dim_work_queue, &dim_measure_work, ++ min_jiffies); + } + + mutex_unlock(&dim_core_interval_lock); +@@ -154,7 +165,7 @@ static void dim_worker_work_cb(struct work_struct *work) + unsigned long p; + + do_measure(); +- p = atomic_read(&measure_interval_jiffies); ++ p = dim_core_interval_jiffies_get(); + if (p != 0) + queue_delayed_work(dim_work_queue, &dim_measure_work, p); + } +diff --git a/src/core/dim_core_measure.h b/src/core/dim_core_measure.h +index c9f0647..c9abc4e 100644 +--- a/src/core/dim_core_measure.h ++++ b/src/core/dim_core_measure.h +@@ -9,7 +9,8 @@ + + /* max measure interval = 1 year */ + #define DIM_INTERVAL_MAX (365 * 24 * 60) +-#define DIM_MINUTE_TO_MSEC (60 * 1000) ++#define DIM_MINUTE_TO_SEC (60UL) ++#define DIM_MINUTE_TO_NSEC (60UL * 1000 * 1000 * 1000) + /* max number of kill tasks */ + #define DIM_KILL_TASKS_MAX (1024) + /* limit of measure parameter */ +-- +2.33.0 + diff --git a/dim-v1.0.2.tar.gz b/dim-v1.0.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..cfb45215b3ca9dfec4a76ea4c68b87cd4c7791c5 Binary files /dev/null and b/dim-v1.0.2.tar.gz differ diff --git a/dim.spec b/dim.spec new file mode 100644 index 0000000000000000000000000000000000000000..a515a333d7180bcd5fa8d633fc5866c41d6c852d --- /dev/null +++ b/dim.spec @@ -0,0 +1,64 @@ +%global debug_package %{nil} +%define kernel_version %(ver=`rpm -qa|grep kernel-devel`;echo ${ver#*kernel-devel-}) + +Name : dim +Summary : Dynamic Integrity Measurement +Version : 1.0.2 +Release : 4 +License : GPL-2.0 +Source0 : %{name}-v%{version}.tar.gz +BuildRequires: kernel-devel kernel-headers +Requires : kernel + +Patch0001: Limit-the-max-line-number-of-policy-and-baseline-par.patch +Patch0002: Use-jiffies64-interface-to-set-measure-interval.patch +Patch0003: Add-the-owner-of-file-operations.patch + +%description +Dynamic Integrity Measurement + +%prep +%autosetup -n %{name}-v%{version} -p1 + +%build +cd src +sed -i 's#/lib/modules/$(shell uname -r)/build#/lib/modules/%{kernel_version}/build#' Makefile +make + +%install +mkdir -p $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/dim +install -m 600 ./src/dim_core.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/dim +install -m 600 ./src/dim_monitor.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/dim + +%pre + +%post +depmod -a `uname -r` + +%preun + +%postun +depmod -a + +%posttrans + +%clean +rm -rf %{buildroot} + +%files +%defattr(-,root,root) +%attr(0400,root,root) /lib/modules/%{kernel_version}/extra/dim/dim_core.ko +%attr(0400,root,root) /lib/modules/%{kernel_version}/extra/dim/dim_monitor.ko + +%changelog +* Mon Sep 18 2023 jinlun 1.0.2-4 +- Fix the concurrent issues with removing module and accessing interfaces. + +* Fri Sep 15 2023 luhuaxin 1.0.2-3 +- Use jiffies64 interface to set measure interval + +* Thu Sep 14 2023 luhuaxin 1.0.2-2 +- Limit the max line number of policy and baseline parsing + +* Mon Sep 4 2023 jinlun 1.0.2-1 +- Init package