This series aims to introduce integrity measurements when the IMA policy is written on the securityfs file. In particular, when a signed policy is not mandatory, it can be written directly on the securityfs file. This allows to override the boot policy at the first write, and append new policy rules at the subsequent writes (if CONFIG_IMA_WRITE_POLICY=y). In this case new policy can be loaded without being measured.
The patch #1 introduces a new critical-data record for the newly loaded policy. The measurement is performed over the textual representation of the new policy once it becomes effective (after ima_update_policy()). As suggested by Mimi, the new critical-data rule is added to the arch specific policy rules. The patch #2, following what suggested by Roberto, measures the input buffer sent to the securityfs policy file, regardless of whether the new policy will be accepted or not. This is done by calling process_measurement() in order to catch it when 'measure func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). Changes in v2: - Set a new critical-data rule for measuring the loaded IMA policy. - Add the new critical-data rule to the specific arch policy rules. - Add patch #2 for measuring the input buffer sent to the securityfs policy file. Enrico Bravi (2): ima: measure loaded policy after write on securityfs policy file ima: measure buffer sent to securityfs policy file security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_efi.c | 1 + security/integrity/ima/ima_fs.c | 2 + security/integrity/ima/ima_main.c | 38 +++++++++++++++++ security/integrity/ima/ima_policy.c | 63 ++++++++++++++++++++++++++++- 5 files changed, 104 insertions(+), 2 deletions(-) base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 -- 2.52.0
