On 5/22/22 13:38, Serge E. Hallyn wrote:
On Wed, Apr 20, 2022 at 10:06:19AM -0400, Stefan Berger wrote:
Only accept AUDIT rules for non-init_ima_ns namespaces for now. Reject
This sentence gives me trouble - i keep thinking you mean that you'll
reject AUDIT rules for init_ima_ns :) Can you rephrase it as something
like
For non-init_ima_ns namespaces, only accept AUDIT rules for now.
:)
all rules that require support for measuring, appraisal, and hashing.
I kept the title of the patch but the text now states:
For non-init_ima_ns namespaces, only accept AUDIT rules for now. Reject
all rules that require support for measuring, appraisal, and hashing.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
v9:
- Jump to err_audit when unsupported rules are detected
---
security/integrity/ima/ima_policy.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 59e4ae5a6361..45a997709200 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1812,6 +1812,17 @@ static int ima_parse_rule(struct ima_namespace *ns,
result = -EINVAL;
break;
}
+
+ /* IMA namespace only accepts AUDIT rules */
+ if (ns != &init_ima_ns && result == 0) {
+ switch (entry->action) {
+ case MEASURE:
+ case APPRAISE:
+ case HASH:
So... what about DONT_MEASURE and DONT_APPRAISE?
They don't cause IMA to do anything that is not supported at this point
so I let them pass. If you set these you still don't get a measurements
or appraisal and that's good at this point..
+ result = -EINVAL;
+ goto err_audit;
+ }
+ }
}
if (!result && !ima_validate_rule(entry))
result = -EINVAL;
@@ -1824,6 +1835,7 @@ static int ima_parse_rule(struct ima_namespace *ns,
check_template_modsig(template_desc);
}
+err_audit:
audit_log_format(ab, "res=%d", !result);
audit_log_end(ab);
return result;
--
2.34.1
