| 修订版 | a83a8b3eefbf2a6df11a9b63acf8a12c63f4855d (tree) |
|---|---|
| 时间 | 2012-01-04 17:34:09 |
| 作者 | Seiji Munetoh <munetoh@jp.i...> |
| Commiter | Seiji Munetoh |
Exclude conflicted property
include/openpts.h (diff)
src/action.c (diff) src/verifier.c (diff)| @@ -154,6 +154,7 @@ | ||
| 154 | 154 | */ |
| 155 | 155 | typedef struct { |
| 156 | 156 | int num; /**< */ |
| 157 | + int ignore; /**< flag to exclude policy check. 0: policy check, 1:ignore*/ | |
| 157 | 158 | char *name; /**< name */ |
| 158 | 159 | char *value; /**< value */ |
| 159 | 160 | void *next; /**< ptr to the next property */ |
| @@ -373,9 +373,14 @@ int setModuleProperty(OPENPTS_CONTEXT *ctx, OPENPTS_PCR_EVENT_WRAPPER *eventWrap | ||
| 373 | 373 | * |
| 374 | 374 | * linux.kernel.cmdline.ro="" |
| 375 | 375 | * linux.kernel.cmdline.ima_tcb="1" |
| 376 | - * | |
| 376 | + * | |
| 377 | 377 | * |
| 378 | 378 | * UnitTest - tests/check_action.c |
| 379 | + * | |
| 380 | + * 2012-01-04 conflict happen | |
| 381 | + * e.g. | |
| 382 | + * linux.kernel.cmdline.rd_LVM_LV=vg_oc3277723285/lv_root | |
| 383 | + * linux.kernel.cmdline.rd_LVM_LV=vg_oc3277723285/lv_swap | |
| 379 | 384 | * |
| 380 | 385 | */ |
| 381 | 386 | int setLinuxKernelCmdlineAssertion(OPENPTS_CONTEXT *ctx, OPENPTS_PCR_EVENT_WRAPPER *eventWrapper) { |
| @@ -425,11 +430,28 @@ int setLinuxKernelCmdlineAssertion(OPENPTS_CONTEXT *ctx, OPENPTS_PCR_EVENT_WRAPP | ||
| 425 | 430 | /* A=B? */ |
| 426 | 431 | ep = strchr(tp, '='); |
| 427 | 432 | if (ep != NULL) { |
| 433 | + OPENPTS_PROPERTY *prop; | |
| 428 | 434 | *ep = 0; |
| 429 | 435 | ep++; |
| 430 | 436 | snprintf(name, BUF_SIZE, "linux.kernel.cmdline.%s", tp); |
| 431 | 437 | snprintf(value, BUF_SIZE, "%s", ep); |
| 432 | - addProperty(ctx, name, value); | |
| 438 | + /* check */ | |
| 439 | + prop = getProperty(ctx, name); | |
| 440 | + if (prop != NULL) { | |
| 441 | + // conflict | |
| 442 | + DEBUG( | |
| 443 | + "Property %s=%s and %s=%s are conflicted. Drop them from the policy list.", | |
| 444 | + name, prop->value, | |
| 445 | + name, value); | |
| 446 | + VERBOSE(2, // TODO NLS | |
| 447 | + "Property %s=%s and %s=%s are conflicted. Drop them from the policy list.", | |
| 448 | + name, prop->value, | |
| 449 | + name, value); | |
| 450 | + prop->ignore = 1; | |
| 451 | + } else { | |
| 452 | + // new prop, no conflict | |
| 453 | + addProperty(ctx, name, value); | |
| 454 | + } | |
| 433 | 455 | cnt++; |
| 434 | 456 | } else { |
| 435 | 457 | snprintf(name, BUF_SIZE, "linux.kernel.cmdline.%s", tp); |
| @@ -715,6 +715,9 @@ int writePolicyConf(OPENPTS_CONTEXT *ctx, char *filename) { | ||
| 715 | 715 | /* IMA measurement - SKIP */ |
| 716 | 716 | } else if (!strncmp(prop->name, "disable.", 8)) { |
| 717 | 717 | /* Indicates a disabled tpm quote - SKIP */ |
| 718 | + } else if (prop->ignore == 1) { | |
| 719 | + ERROR( // TODO NLS | |
| 720 | + "The property %s is conflicted and excluded from the policy.\n", prop->name); | |
| 718 | 721 | } else { |
| 719 | 722 | fprintf(fp, "%s=%s\n", prop->name, prop->value); |
| 720 | 723 | i++; |
Fork