This series aims to introduce integrity measurements when the IMA policy is written on the securityfs file. In particular, when a signed policy is not mandatory, it can be written directly on the securityfs file. This allows to override the boot policy at the first write, and append new policy rules at the subsequent writes (if CONFIG_IMA_WRITE_POLICY=y). In this case new policy can be loaded without being measured.
The patch #1 introduces a new critical-data record for the newly loaded policy. The measurement is performed over the textual representation of the new policy once it becomes effective (after ima_update_policy()). As suggested by Mimi, the new critical-data rule is added to the arch specific policy rules (only when a signed policy is not mandatory). The patch #2, following what was suggested by Roberto, measures the input buffer sent to the securityfs policy file, regardless of whether the new policy will be accepted or not. This is done by calling process_buffer_measurement(), enabling POLICY_CHECK in ima_match_rules() and ima_match_rule_data() in order to catch it when 'measure func=POLICY_CHECK' is defined (e.g., ima_policy=tcb). Changes in v3: - Include the newly defined critical-data rule only if a signed policy is not mandatory as suggested by Mimi. - Removed the ima_policy_text_len() function as suggested by Mimi. - Moved policy input buffer measurement from process_measurement() to process_buffer_measurement() as suggested by Mimi. - Changed ima_measure_policy_write() function name to ima_measure_policy_buf() as suggested by Mimi. - Updated patches description. Changes in v2: - Set a new critical-data rule for measuring the loaded IMA policy. - Add the new critical-data rule to the specific arch policy rules. - Add patch #2 for measuring the input buffer sent to the securityfs policy file. Enrico Bravi (2): ima: measure loaded policy after write on securityfs policy file ima: measure buffer sent to securityfs policy file security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_efi.c | 2 + security/integrity/ima/ima_fs.c | 2 + security/integrity/ima/ima_main.c | 19 ++++++++++ security/integrity/ima/ima_policy.c | 58 ++++++++++++++++++++++++++++- 5 files changed, 81 insertions(+), 2 deletions(-) base-commit: 028ef9c96e96197026887c0f092424679298aae8 -- 2.52.0
