Re: [PATCH v2 11/11] ima: Support additional conditionals in the KEXEC_CMDLINE hook function

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/26/20 3:39 PM, Tyler Hicks wrote:

Take the properties of the kexec kernel's inode and the current task
ownership into consideration when matching a KEXEC_CMDLINE operation to
the rules in the IMA policy. This allows for some uniformity when
writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK,
and KEXEC_CMDLINE operations.

Prior to this patch, it was not possible to write a set of rules like
this:

  dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
  dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
  dont_measure func=KEXEC_CMDLINE obj_type=foo_t
  measure func=KEXEC_KERNEL_CHECK
  measure func=KEXEC_INITRAMFS_CHECK
  measure func=KEXEC_CMDLINE

The inode information associated with the kernel being loaded by a
kexec_kernel_load(2) syscall can now be included in the decision to
measure or not

Additonally, the uid, euid, and subj_* conditionals can also now be
used in KEXEC_CMDLINE rules. There was no technical reason as to why
those conditionals weren't being considered previously other than
ima_match_rules() didn't have a valid inode to use so it immediately
bailed out for KEXEC_CMDLINE operations rather than going through the
full list of conditional comparisons.

Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx>
Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx>
Cc: kexec@xxxxxxxxxxxxxxxxxxx
---

* v2
   - Moved the inode parameter of process_buffer_measurement() to be the
     first parameter so that it more closely matches process_masurement()

  include/linux/ima.h                          |  4 ++--
  kernel/kexec_file.c                          |  2 +-
  security/integrity/ima/ima.h                 |  2 +-
  security/integrity/ima/ima_api.c             |  2 +-
  security/integrity/ima/ima_appraise.c        |  2 +-
  security/integrity/ima/ima_asymmetric_keys.c |  2 +-
  security/integrity/ima/ima_main.c            | 23 +++++++++++++++-----
  security/integrity/ima/ima_policy.c          | 17 +++++----------
  security/integrity/ima/ima_queue_keys.c      |  2 +-
  9 files changed, 31 insertions(+), 25 deletions(-)



Reviewed-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>

_______________________________________________
kexec mailing list
kexec@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/kexec
[Index of Archives]     [LM Sensors]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Gimp]     [Yosemite News]     [Linux Media]
  Powered by Linux