On Dec 4, 2024 Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > Like direct file execution (e.g. ./script.sh), indirect file execution > (e.g. sh script.sh) needs to be measured and appraised. Instantiate > the new security_bprm_creds_for_exec() hook to measure and verify the > indirect file's integrity. Unlike direct file execution, indirect file > execution is optionally enforced by the interpreter. > > Differentiate kernel and userspace enforced integrity audit messages. > > Co-developed-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > Changelog v3: > - Mickael: add comment ima_bprm_creds_for_exec(), minor code cleanup, > add Co-developed-by tag. > > Changelog v2: > - Mickael: Use same audit messages with new audit message number > - Stefan Berger: Return boolean from is_bprm_creds_for_exec() > > include/uapi/linux/audit.h | 1 + > security/integrity/ima/ima_appraise.c | 27 +++++++++++++++++++++++-- > security/integrity/ima/ima_main.c | 29 +++++++++++++++++++++++++++ > 3 files changed, 55 insertions(+), 2 deletions(-) > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 75e21a135483..826337905466 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -161,6 +161,7 @@ > #define AUDIT_INTEGRITY_RULE 1805 /* policy rule */ > #define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */ > #define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */ > +#define AUDIT_INTEGRITY_DATA_CHECK 1808 /* Userspace enforced data integrity */ I worry that "DATA_CHECK" is a bit vague, should we change the name so that there is some hint of either userspace enforcement or AT_EXECVE_CHECK? What about AUDIT_INTEGRITY_DATA_USER? -- paul-moore.com
