[PATCH v3 20/22] ima: load policy using path

Petko Manolov petkan at mip-labs.com
Sun Feb 7 11:59:45 PST 2016


On 16-02-03 14:06:28, Mimi Zohar wrote:
> From: Dmitry Kasatkin <d.kasatkin at samsung.com>
> 
> We currently cannot do appraisal or signature vetting of IMA policies
> since we currently can only load IMA policies by writing the contents
> of the policy directly in, as follows:
> 
> cat policy-file > <securityfs>/ima/policy
> 
> If we provide the kernel the path to the IMA policy so it can load
> the policy itself it'd be able to later appraise or vet the file
> signature if it has one.  This patch adds support to load the IMA
> policy with a given path as follows:
> 
> echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
> 
> Changelog v3:
> - moved kernel_read_file_from_path() to a separate patch
> v2:
> - after re-ordering the patches, replace calling integrity_kernel_read()
>   to read the file with kernel_read_file_from_path() (Mimi)
> - Patch description re-written by Luis R. Rodriguez
> 
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin at huawei.com>
> Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
> ---
>  include/linux/fs.h              |  1 +
>  security/integrity/ima/ima_fs.c | 43 +++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 42 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index d4d556e..b648e6d 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2531,6 +2531,7 @@ enum kernel_read_file_id {
>  	READING_MODULE,
>  	READING_KEXEC_IMAGE,
>  	READING_KEXEC_INITRAMFS,
> +	READING_POLICY,
>  	READING_MAX_ID
>  };
>  
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index f355231..00ccd67 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -22,6 +22,7 @@
>  #include <linux/rculist.h>
>  #include <linux/rcupdate.h>
>  #include <linux/parser.h>
> +#include <linux/vmalloc.h>
>  
>  #include "ima.h"
>  
> @@ -258,6 +259,41 @@ static const struct file_operations ima_ascii_measurements_ops = {
>  	.release = seq_release,
>  };
>  
> +static ssize_t ima_read_policy(char *path)
> +{
> +	void *data;
> +	char *datap;
> +	loff_t size;
> +	int rc, pathlen = strlen(path);
> +
> +	char *p;
> +
> +	/* remove \n */
> +	datap = path;
> +	strsep(&datap, "\n");
> +
> +	rc = kernel_read_file_from_path(path, &data, &size, 0, READING_POLICY);
> +	if (rc < 0)
> +		return rc;
> +
> +	datap = data;
> +	while (size > 0 && (p = strsep(&datap, "\n"))) {
> +		pr_debug("rule: %s\n", p);
> +		rc = ima_parse_add_rule(p);
> +		if (rc < 0)
> +			break;
> +		size -= rc;
> +	}
> +
> +	vfree(data);
> +	if (rc < 0)
> +		return rc;
> +	else if (size)
> +		return -EINVAL;
> +	else
> +		return pathlen;
> +}
> +
>  static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>  				size_t datalen, loff_t *ppos)
>  {
> @@ -286,9 +322,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>  	result = mutex_lock_interruptible(&ima_write_mutex);
>  	if (result < 0)
>  		goto out_free;
> -	result = ima_parse_add_rule(data);
> -	mutex_unlock(&ima_write_mutex);
>  
> +	if (data[0] == '/')

It seems that if we feed relative path to ima_policy the update will fail...

> +		result = ima_read_policy(data);
> +	else
> +		result = ima_parse_add_rule(data);
> +	mutex_unlock(&ima_write_mutex);
>  out_free:
>  	kfree(data);
>  out:
> -- 
> 2.1.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the kexec mailing list