On Mon, 2025-12-22 at 09:01 -0500, Mimi Zohar wrote: > Hi Enrico, > > On Tue, 2025-12-16 at 17:56 +0100, Enrico Bravi wrote: > > When signed a policy is not mandatory, it is possile to write the IMA > > policy directly on the corresponding securityfs file: > > > > echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \ > > "audit func=BPRM_CHECK mask=MAY_EXEC\n" \ > > > /sys/kernel/security/ima/policy > > > > Add input buffer measurement that can be caught when 'measure > > func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). > > > > Suggested-by: Roberto Sassu <[email protected]> > > Signed-off-by: Enrico Bravi <[email protected]> > > --- > > security/integrity/ima/ima.h | 1 + > > security/integrity/ima/ima_fs.c | 1 + > > security/integrity/ima/ima_main.c | 38 +++++++++++++++++++++++++++++++ > > 3 files changed, 40 insertions(+) > > > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > > index ca7b96663623..3b00c298355b 100644 > > --- a/security/integrity/ima/ima.h > > +++ b/security/integrity/ima/ima.h > > @@ -426,6 +426,7 @@ void *ima_policy_next(struct seq_file *m, void *v, > > loff_t *pos); > > void ima_policy_stop(struct seq_file *m, void *v); > > int ima_policy_show(struct seq_file *m, void *v); > > void ima_measure_loaded_policy(void); > > +int ima_measure_policy_write(char *buf, size_t size); > > > > /* Appraise integrity measurements */ > > #define IMA_APPRAISE_ENFORCE 0x01 > > diff --git a/security/integrity/ima/ima_fs.c > > b/security/integrity/ima/ima_fs.c > > index 89946d803d44..f1a5edd060ad 100644 > > --- a/security/integrity/ima/ima_fs.c > > +++ b/security/integrity/ima/ima_fs.c > > @@ -362,6 +362,7 @@ static ssize_t ima_write_policy(struct file *file, const > > char __user *buf, > > 1, 0); > > result = -EACCES; > > } else { > > + ima_measure_policy_write(data, datalen); > > result = ima_parse_add_rule(data); > > } > > mutex_unlock(&ima_write_mutex); > > diff --git a/security/integrity/ima/ima_main.c > > b/security/integrity/ima/ima_main.c > > index cdd225f65a62..6a8ad4714881 100644 > > --- a/security/integrity/ima/ima_main.c > > +++ b/security/integrity/ima/ima_main.c > > @@ -28,6 +28,7 @@ > > #include <linux/iversion.h> > > #include <linux/evm.h> > > #include <linux/crash_dump.h> > > +#include <linux/shmem_fs.h> > > > > #include "ima.h" > > > > @@ -986,6 +987,43 @@ static int ima_post_load_data(char *buf, loff_t size, > > return 0; > > } > > > > +/** > > + * ima_measure_policy_write - Measure the policy write buffer > > + * @buf: pointer to the buffer containing the policy write data > > + * @size: size of the buffer > > + * > > + * Measure the buffer sent to the IMA policy securityfs file. > > + * > > + * Return 0 on success, a negative value otherwise. > > + */ > > +int ima_measure_policy_write(char *buf, size_t size0 > > +{ > > + static const char op[] = "measure_ima_policy_write"; > > + const char *file_name = "ima_write_policy_buffer"; > > + static char *audit_cause = "ENOMEM"; > > + struct file *policy_file = NULL; > > + struct lsm_prop prop; > > + int ret = 0; > > + > > + policy_file = shmem_kernel_file_setup(file_name, 0, 0); > > + if (IS_ERR(policy_file)) { > > + ret = PTR_ERR(policy_file); > > + audit_cause = "alloc_file"; > > + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, "ima_policy_write", > > + op, audit_cause, ret, 1); > > + goto out; > > + } > > + > > + security_current_getlsmprop_subj(&prop); > > + > > + ret = process_measurement(policy_file, current_cred(), &prop, buf, size, > > + MAY_READ, POLICY_CHECK); > > The purpose of this patch is to measure IMA policy rules as they're written to > the <securityfs> IMA policy file, based on the IMA "measure func=POLICY_CHECK" > policy rule. > > Like critical data, it should be calling process_buffer_measurement(), not > process_measurement(). > > The functions ima_match_rules() and ima_match_rule_data() need to be updated > to support POLICY_CHECK.
Hi Mimi, ok sure, I can switch to process_buffer_measurement(). > This function naming is off and should be renamed to ima_measure_policy_buf(). > > Please update the patch description accordingly. Will do. Thanks again for your feedback. Enrico > Mimi > > > + fput(policy_file); > > + > > +out: > > + return ret; > > +} > > + > > /** > > * process_buffer_measurement - Measure the buffer or the buffer data hash > > * @idmap: idmap of the mount the inode was found from
