Re: [PATCH v6 6/6] ima: define "fs_unsafe" builtin policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2017-08-22 at 13:07 +0300, Dmitry Kasatkin wrote:
> Looks good to me.

Thank you for reviewing the code!  Can I add your Reviewed-by/Acked-by?

Mimi

> 
> On Tue, Aug 15, 2017 at 5:43 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > Permit normally denied access/execute permission for files in policy
> > on IMA unsupported filesystems.  This patch defines "fs_unsafe", a
> > builtin policy.
> >
> > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> >
> > ---
> > Changelog v3:
> > - include dont_failsafe rule when displaying policy
> >
> >  Documentation/admin-guide/kernel-parameters.txt |  8 +++++++-
> >  security/integrity/ima/ima_policy.c             | 12 ++++++++++++
> >  2 files changed, 19 insertions(+), 1 deletion(-)
> >
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index d9c171ce4190..4e303be83df6 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -1502,7 +1502,7 @@
> >
> >         ima_policy=     [IMA]
> >                         The builtin policies to load during IMA setup.
> > -                       Format: "tcb | appraise_tcb | secure_boot"
> > +                       Format: "tcb | appraise_tcb | secure_boot | fs_unsafe"
> >
> >                         The "tcb" policy measures all programs exec'd, files
> >                         mmap'd for exec, and all files opened with the read
> > @@ -1517,6 +1517,12 @@
> >                         of files (eg. kexec kernel image, kernel modules,
> >                         firmware, policy, etc) based on file signatures.
> >
> > +                       The "fs_unsafe" policy permits normally denied
> > +                       access/execute permission for files in policy on IMA
> > +                       unsupported filesystems.  Note this option, as the
> > +                       name implies, is not safe and not recommended for
> > +                       any environments other than testing.
> > +
> >         ima_tcb         [IMA] Deprecated.  Use ima_policy= instead.
> >                         Load a policy which meets the needs of the Trusted
> >                         Computing Base.  This means IMA will measure all
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 43b85a4fb8e8..cddd9dfb01e1 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -169,6 +169,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
> >          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> >  };
> >
> > +static struct ima_rule_entry dont_failsafe_rules[] __ro_after_init = {
> > +       {.action = DONT_FAILSAFE}
> > +};
> > +
> >  static LIST_HEAD(ima_default_rules);
> >  static LIST_HEAD(ima_policy_rules);
> >  static LIST_HEAD(ima_temp_rules);
> > @@ -188,6 +192,7 @@ __setup("ima_tcb", default_measure_policy_setup);
> >
> >  static bool ima_use_appraise_tcb __initdata;
> >  static bool ima_use_secure_boot __initdata;
> > +static bool ima_use_dont_failsafe __initdata;
> >  static int __init policy_setup(char *str)
> >  {
> >         char *p;
> > @@ -201,6 +206,10 @@ static int __init policy_setup(char *str)
> >                         ima_use_appraise_tcb = 1;
> >                 else if (strcmp(p, "secure_boot") == 0)
> >                         ima_use_secure_boot = 1;
> > +               else if (strcmp(p, "fs_unsafe") == 0) {
> > +                       ima_use_dont_failsafe = 1;
> > +                       set_failsafe(0);
> > +               }
> >         }
> >
> >         return 1;
> > @@ -470,6 +479,9 @@ void __init ima_init_policy(void)
> >                         temp_ima_appraise |= IMA_APPRAISE_POLICY;
> >         }
> >
> > +       if (ima_use_dont_failsafe)
> > +               list_add_tail(&dont_failsafe_rules[0].list, &ima_default_rules);
> > +
> >         ima_rules = &ima_default_rules;
> >         ima_update_policy_flag();
> >  }
> > --
> > 2.7.4
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> 




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux