On Tue, 2026-05-26 at 15:51 +0200, Enrico Bravi wrote:
> IMA policy can be written multiple times in the securityfs policy file
> at runtime if CONFIG_IMA_WRITE_POLICY=y. When IMA_APPRAISE_POLICY is
> required, the policy needs to be signed to be loaded, writing the absolute
> path of the file containing the new policy:
> 
> echo /path/of/custom_ima_policy > /sys/kernel/security/ima/policy
> 
> When this is not required, policy can be written directly, rule by rule:
> 
> echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
>         "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
>      > /sys/kernel/security/ima/policy
> 
> In this case, a new policy can be loaded without being measured or
> appraised.
> 
> Add a new critical data record to measure the textual policy
> representation when it becomes effective.
> To verify the template data hash value, convert the buffer policy data
> to binary:
> grep "ima_policy_loaded" \
>       /sys/kernel/security/integrity/ima/ascii_runtime_measurements | \
>       tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum
> 
> Signed-off-by: Enrico Bravi <[email protected]>

Thanks, Enrico.  Just a few inline comments.

> ---
>  security/integrity/ima/ima.h        |  1 +
>  security/integrity/ima/ima_efi.c    |  2 ++
>  security/integrity/ima/ima_fs.c     |  1 +
>  security/integrity/ima/ima_policy.c | 55 +++++++++++++++++++++++++++--
>  4 files changed, 57 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 89ebe98ffc5e..a223d3f30d88 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -425,6 +425,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos);
>  void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
>  void ima_policy_stop(struct seq_file *m, void *v);
>  int ima_policy_show(struct seq_file *m, void *v);
> +void ima_measure_loaded_policy(void);
>  
>  /* Appraise integrity measurements */
>  #define IMA_APPRAISE_ENFORCE 0x01
> diff --git a/security/integrity/ima/ima_efi.c 
> b/security/integrity/ima/ima_efi.c
> index 138029bfcce1..8e9f85ec9a86 100644
> --- a/security/integrity/ima/ima_efi.c
> +++ b/security/integrity/ima/ima_efi.c
> @@ -60,6 +60,8 @@ static const char * const sb_arch_rules[] = {
>  #endif
>  #if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && 
> IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
>       "appraise func=POLICY_CHECK appraise_type=imasig",
> +#else
> +     "measure func=CRITICAL_DATA label=ima_policy",
>  #endif

 None of the other arch "measure" policy rules are conditional.  Should the new
"measure" rule be limited?

>       "measure func=MODULE_CHECK",
>       NULL
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 012a58959ff0..75cb308cf01f 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -476,6 +476,7 @@ static int ima_release_policy(struct inode *inode, struct 
> file *file)
>       }
>  
>       ima_update_policy();
> +     ima_measure_loaded_policy();
>  #if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
>       securityfs_remove(file->f_path.dentry);
>  #elif defined(CONFIG_IMA_WRITE_POLICY)
> diff --git a/security/integrity/ima/ima_policy.c 
> b/security/integrity/ima/ima_policy.c
> index bf2d7ba4c14a..e0b4dae922b6 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -17,6 +17,7 @@
>  #include <linux/slab.h>
>  #include <linux/rculist.h>
>  #include <linux/seq_file.h>
> +#include <linux/vmalloc.h>
>  #include <linux/ima.h>
>  
>  #include "ima.h"
> @@ -2022,7 +2023,6 @@ const char *const func_tokens[] = {
>       __ima_hooks(__ima_hook_stringify)
>  };
>  
> -#ifdef       CONFIG_IMA_READ_POLICY

Removing the ifdef, here, does not affect viewing the IMA measurement lists, but
allows copying and measuring the policy rules.  Please include a comment in the
patch description.

>  enum {
>       mask_exec = 0, mask_write, mask_read, mask_append
>  };
> @@ -2324,7 +2324,6 @@ int ima_policy_show(struct seq_file *m, void *v)
>       seq_puts(m, "\n");
>       return 0;
>  }
> -#endif       /* CONFIG_IMA_READ_POLICY */
>  
>  #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
>  /*
> @@ -2381,3 +2380,55 @@ bool ima_appraise_signature(enum kernel_read_file_id 
> id)
>       return found;
>  }
>  #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
> +

Please add kernel-doc here, something like:

/**
 * ima_measure_loaded_policy - measure the active IMA policy ruleset
 *
 * Must be called with ima_write_mutex held, as it performs two
 * separate RCU read passes over ima_rules and relies on the mutex
 * to prevent concurrent policy updates between them.
 */
> +void ima_measure_loaded_policy(void)
> +{
> +     const char *event_name = "ima_policy_loaded";
> +     const char *op = "measure_loaded_ima_policy";
> +     const char *audit_cause = "ENOMEM";
> +     struct ima_rule_entry *rule_entry;
> +     struct list_head *ima_rules_tmp;
> +     struct seq_file file;
> +     int result = -ENOMEM;
> +     size_t file_len;
> +     char rule[255];

The 255-byte buffer may be insufficient for custom policy rules that include
additional fields such as LSM labels and other file metadata, unlike the simpler
built-in and architecture-specific rules. Please increase the buffer size to
accommodate the worst-case serialized rule length.

> +
> +     /* calculate IMA policy rules memory size */
> +     file.buf = rule;
> +     file.read_pos = 0;
> +     file.size = 255;
> +     file.count = 0;
> +

Please add "lockdep_assert_held(&ima_write_mutex);"  here.

> +     rcu_read_lock();
> +     ima_rules_tmp = rcu_dereference(ima_rules);
> +     list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
> +             ima_policy_show(&file, rule_entry);
> +             file_len += file.count;
> +             file.count = 0;
> +     }

Variables defined on the stack need to be initialized before being used. Please
iniitalize file_len to zero.

> +     rcu_read_unlock();
> +
> +     /* copy IMA policy rules to a buffer for measuring */
> +     file.buf = vmalloc(file_len);
> +     if (!file.buf) {
> +             integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, event_name,
> +                                 op, audit_cause, result, 1);
> +             return;
> +     }
> +
> +     file.read_pos = 0;
> +     file.size = file_len;
> +     file.count = 0;
> +
> +     rcu_read_lock();
> +     ima_rules_tmp = rcu_dereference(ima_rules);
> +     list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
> +             ima_policy_show(&file, rule_entry);
> +     }
> +     rcu_read_unlock();
> +
> +     ima_measure_critical_data("ima_policy", event_name, file.buf,
> +                               file.count, false, NULL, 0);
> +
> +     vfree(file.buf);
> +}

Thanks,

Mimi

Reply via email to