On Tue, 2022-04-19 at 09:50 -0700, Casey Schaufler wrote:
>
> > @@ -1025,7 +1043,7 @@ enum policy_opt {
> > Opt_fowner_lt, Opt_fgroup_lt,
> > Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos,
> > Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
> > - Opt_label, Opt_err
> > + Opt_lsm, Opt_label, Opt_err
> > };
> >
> > static const match_table_t policy_tokens = {
> > @@ -1073,6 +1091,7 @@ static const match_table_t policy_tokens = {
> > {Opt_template, "template=%s"},
> > {Opt_keyrings, "keyrings=%s"},
> > {Opt_label, "label=%s"},
> > + {Opt_lsm, "lsm=%s"},
> > {Opt_err, NULL}
> > };
The ordering of "Opt_lsm" and "Opt_label" are reversed here. They need
to be in sync. Displaying the policy rules results in "label=selinux",
as opposed to "lsm=selinux".
> > @@ -2158,6 +2195,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> > seq_puts(m, "appraise_flag=check_blacklist ");
> > if (entry->flags & IMA_PERMIT_DIRECTIO)
> > seq_puts(m, "permit_directio ");
> > + if (entry->which >= 0)
> > + seq_printf(m, pt(Opt_lsm), lsm_slot_to_name(entry->which));
Please only include the LSM name on those rules which are LSM specific.
I would move this statement to the "for (i = 0; i < MAX_LSM_RULES; i++)
{" loop.
None of the builtin policy rules are LSM specific. To test, add
"ima_policy=tcb" to the boot command line. Then to view the policy,
cat /sys/kernel/security/ima/policy.
Also, unless the IMA policy rule explicitly indicated a specific LSM, I
would place the LSM name in parenthesis.
> > rcu_read_unlock();
> > seq_puts(m, "\n");
> > return 0;
thanks,
Mimi
