Add a new critical data record to measure the trimming event when ima event records are deleted since system boot up.
If all IMA event logs are saved in the userspace, use this log to get total numbers of records deleted since system boot up at that point. Signed-off-by: steven chen <[email protected]> --- security/integrity/ima/ima_fs.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 8e26e0f34311..38d0a49b587f 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -43,6 +43,7 @@ static int valid_policy = 1; #define IMA_LOG_TRIM_REQ_NUM_LENGTH 15 #define IMA_LOG_TRIM_REQ_TOTAL_LENGTH 32 +#define IMA_LOG_TRIM_EVENT_LEN 256 atomic_long_t ima_number_entries = ATOMIC_LONG_INIT(0); static long trimcount; /* mutex protects atomicity of trimming measurement list @@ -52,6 +53,22 @@ static long trimcount; static DEFINE_MUTEX(ima_measure_lock); static long ima_measure_users; +static void ima_measure_trim_event(void) +{ + char ima_log_trim_event[IMA_LOG_TRIM_EVENT_LEN]; + struct timespec64 ts; + u64 time_ns; + int n; + + ktime_get_real_ts64(&ts); + time_ns = (u64)ts.tv_sec * 1000000000ULL + ts.tv_nsec; + n = scnprintf(ima_log_trim_event, IMA_LOG_TRIM_EVENT_LEN, + "time= %llu; number= %lu;", time_ns, trimcount); + + ima_measure_critical_data("ima_log_trim", "trim ima event logs", + ima_log_trim_event, n, false, NULL, 0); +} + static ssize_t ima_show_htable_value(char __user *buf, size_t count, loff_t *ppos, atomic_long_t *val) { @@ -436,6 +453,9 @@ static ssize_t ima_log_trim_write(struct file *file, if (ret < 0) goto out; + if (ret > 0) + ima_measure_trim_event(); + trimcount += ret; ret = datalen; -- 2.43.0
