On Sat, 2021-08-14 at 16:27 +0800, Tianxing Zhang wrote: > When a policy file path contains control characters like '\r' or '\b', > invalid error messages can be printed to overwrite system messages: > > $ echo -e "/\rtest 12345678" > /sys/kernel/security/ima/policy > > This patch rejects policy paths with control characters. > > Signed-off-by: Tianxing Zhang <anakinzhang96@xxxxxxxxx> > --- > security/integrity/ima/ima_fs.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c > index 3d8e9d5db5aa..e6daa138de89 100644 > --- a/security/integrity/ima/ima_fs.c > +++ b/security/integrity/ima/ima_fs.c > @@ -316,6 +316,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, > { > char *data; > ssize_t result; > + int i; > > if (datalen >= PAGE_SIZE) > datalen = PAGE_SIZE - 1; > @@ -331,6 +332,14 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, > goto out; > } > > + for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) { > + if (iscntrl(data[i])) { > + pr_err_once("file path with no control characters required\n"); > + result = -EINVAL; > + goto out_free; > + } > + } > + > result = mutex_lock_interruptible(&ima_write_mutex); > if (result < 0) > goto out_free; The IMA audit messages already display pathnames via audit_log_untrustedstring(). Shouldn't any change be limited to the ima_policy_read() code path? thanks, Mimi