Re: [PATCH V3] IMA: Allow profiles to define the desired IMA template

[Roberto Sassu <roberto.sassu@xxxxxxxxxx>]

On 6/4/2019 4:32 PM, Mimi Zohar wrote:
> On Tue, 2019-06-04 at 16:03 +0200, Roberto Sassu wrote:
> > On 6/4/2019 3:51 AM, Mimi Zohar wrote:
> > > On Mon, 2019-06-03 at 13:13 -0700, Matthew Garrett wrote:
> > > > Admins may wish to log different measurements using different IMA
> > > > templates. Add support for overriding the default template on a per-rule
> > > > basis.
> > > >
> > > > Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>
> > > > ---
> > > >
> > > > Updated based on review feedback, verified that I can generate an event
> > > > log that contains multiple different templates.
> > > >
> > > >    Documentation/ABI/testing/ima_policy  |  6 ++++--
> > > >    security/integrity/ima/ima.h          | 13 +++++++++----
> > > >    security/integrity/ima/ima_api.c      | 24 ++++++++++++++++-------
> > > >    security/integrity/ima/ima_appraise.c |  2 +-
> > > >    security/integrity/ima/ima_init.c     |  2 +-
> > > >    security/integrity/ima/ima_main.c     |  9 +++++----
> > > >    security/integrity/ima/ima_policy.c   | 28 +++++++++++++++++++++++++--
> > > >    security/integrity/ima/ima_template.c | 10 ++++++++--
> > > >    8 files changed, 71 insertions(+), 23 deletions(-)
> > > >
> > > > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> > > > index 74c6702de74e..4ded0668a22d 100644
> > > > --- a/Documentation/ABI/testing/ima_policy
> > > > +++ b/Documentation/ABI/testing/ima_policy
> > > > @@ -24,8 +24,7 @@ Description:
> > > >    				[euid=] [fowner=] [fsname=]]
> > > >    			lsm:	[[subj_user=] [subj_role=] [subj_type=]
> > > >    				 [obj_user=] [obj_role=] [obj_type=]]
> > > > -			option:	[[appraise_type=]] [permit_directio]
> > > > -
> > > > +			option:	[[appraise_type=]] [template=] [permit_directio]
> > > >    		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
> > > >    				[FIRMWARE_CHECK]
> > > >    				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
> > > > @@ -38,6 +37,9 @@ Description:
> > > >    			fowner:= decimal value
> > > >    		lsm:  	are LSM specific
> > > >    		option:	appraise_type:= [imasig]
> > > > +			template:= name or format of a defined IMA template
> > > > +			type (eg,ima-ng or d-ng|n-ng). Only valid when action
> > > > +			is "measure".
> > >
> > > This patch only supports specifying the template name, not the
> > > template format description.  Please remove "d-ng|n-ng".
> >
> > The patch is correct. lookup_template_desc() also considers the format.
>
> Specifying the template format works if it is defined in
> builtin_templates[], but seems to fail if it isn't.

Yes, the original patch set supports the definition of new templates.
That part is not included in this patch.

Roberto

--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI