On Thu, 2024-12-05 at 19:30 -0500, Paul Moore wrote: > On Dec 4, 2024 Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > Like direct file execution (e.g. ./script.sh), indirect file execution > > (e.g. sh script.sh) needs to be measured and appraised. Instantiate > > the new security_bprm_creds_for_exec() hook to measure and verify the > > indirect file's integrity. Unlike direct file execution, indirect file > > execution is optionally enforced by the interpreter. > > > > Differentiate kernel and userspace enforced integrity audit messages. > > > > Co-developed-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > --- > > Changelog v3: > > - Mickael: add comment ima_bprm_creds_for_exec(), minor code cleanup, > > add Co-developed-by tag. > > > > Changelog v2: > > - Mickael: Use same audit messages with new audit message number > > - Stefan Berger: Return boolean from is_bprm_creds_for_exec() > > > > include/uapi/linux/audit.h | 1 + > > security/integrity/ima/ima_appraise.c | 27 +++++++++++++++++++++++-- > > security/integrity/ima/ima_main.c | 29 +++++++++++++++++++++++++++ > > 3 files changed, 55 insertions(+), 2 deletions(-) > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index 75e21a135483..826337905466 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -161,6 +161,7 @@ > > #define AUDIT_INTEGRITY_RULE 1805 /* policy rule */ > > #define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */ > > #define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */ > > +#define AUDIT_INTEGRITY_DATA_CHECK 1808 /* Userspace enforced data integrity */ > > I worry that "DATA_CHECK" is a bit vague, should we change the name so > that there is some hint of either userspace enforcement or > AT_EXECVE_CHECK? > > What about AUDIT_INTEGRITY_DATA_USER? The emphasis should be on userspace - AUDIT_INTEGRITY_USERSPACE. Mimi
