[PATCH v3 20/22] ima: load policy using path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



________________________________________
From: Petko Manolov [petkan@xxxxxxxxxxxx]
Sent: Sunday, February 07, 2016 9:59 PM
To: Mimi Zohar
Cc: linux-security-module at vger.kernel.org; Luis R. Rodriguez; kexec at lists.infradead.org; linux-modules at vger.kernel.org; fsdevel at vger.kernel.org; David Howells; David Woodhouse; Kees Cook; Dmitry Torokhov; Dmitry Kasatkin; Eric Biederman; Rusty Russell; Dmitry Kasatkin; Dmitry Kasatkin
Subject: Re: [PATCH v3 20/22] ima: load policy using path

On 16-02-03 14:06:28, Mimi Zohar wrote:
> From: Dmitry Kasatkin <d.kasatkin at samsung.com>
>
> We currently cannot do appraisal or signature vetting of IMA policies
> since we currently can only load IMA policies by writing the contents
> of the policy directly in, as follows:
>
> cat policy-file > <securityfs>/ima/policy
>
> If we provide the kernel the path to the IMA policy so it can load
> the policy itself it'd be able to later appraise or vet the file
> signature if it has one.  This patch adds support to load the IMA
> policy with a given path as follows:
>
> echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
>
> Changelog v3:
> - moved kernel_read_file_from_path() to a separate patch
> v2:
> - after re-ordering the patches, replace calling integrity_kernel_read()
>   to read the file with kernel_read_file_from_path() (Mimi)
> - Patch description re-written by Luis R. Rodriguez
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin at huawei.com>
> Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
> ---
>  include/linux/fs.h              |  1 +
>  security/integrity/ima/ima_fs.c | 43 +++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 42 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index d4d556e..b648e6d 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2531,6 +2531,7 @@ enum kernel_read_file_id {
>       READING_MODULE,
>       READING_KEXEC_IMAGE,
>       READING_KEXEC_INITRAMFS,
> +     READING_POLICY,
>       READING_MAX_ID
>  };
>
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index f355231..00ccd67 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -22,6 +22,7 @@
>  #include <linux/rculist.h>
>  #include <linux/rcupdate.h>
>  #include <linux/parser.h>
> +#include <linux/vmalloc.h>
>
>  #include "ima.h"
>
> @@ -258,6 +259,41 @@ static const struct file_operations ima_ascii_measurements_ops = {
>       .release = seq_release,
>  };
>
> +static ssize_t ima_read_policy(char *path)
> +{
> +     void *data;
> +     char *datap;
> +     loff_t size;
> +     int rc, pathlen = strlen(path);
> +
> +     char *p;
> +
> +     /* remove \n */
> +     datap = path;
> +     strsep(&datap, "\n");
> +
> +     rc = kernel_read_file_from_path(path, &data, &size, 0, READING_POLICY);
> +     if (rc < 0)
> +             return rc;
> +
> +     datap = data;
> +     while (size > 0 && (p = strsep(&datap, "\n"))) {
> +             pr_debug("rule: %s\n", p);
> +             rc = ima_parse_add_rule(p);
> +             if (rc < 0)
> +                     break;
> +             size -= rc;
> +     }
> +
> +     vfree(data);
> +     if (rc < 0)
> +             return rc;
> +     else if (size)
> +             return -EINVAL;
> +     else
> +             return pathlen;
> +}
> +
>  static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>                               size_t datalen, loff_t *ppos)
>  {
> @@ -286,9 +322,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>       result = mutex_lock_interruptible(&ima_write_mutex);
>       if (result < 0)
>               goto out_free;
> -     result = ima_parse_add_rule(data);
> -     mutex_unlock(&ima_write_mutex);
>
> +     if (data[0] == '/')

>It seems that if we feed relative path to ima_policy the update will fail...

Yes, i think it is always a good idea to pass absolute path.

Dmitry

> +             result = ima_read_policy(data);
> +     else
> +             result = ima_parse_add_rule(data);
> +     mutex_unlock(&ima_write_mutex);
>  out_free:
>       kfree(data);
>  out:
> --
> 2.1.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [LM Sensors]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Gimp]     [Yosemite News]     [Linux Media]

  Powered by Linux