This patch provide IMA policy loading from the kernel. When CONFIG_IMA_KERNEL_POLICY is enabled, kernel tries to load default /etc/ima_policy. Policy signature must be located in /etc/ima_policy.sig.
Signed-off-by: Dmitry Kasatkin <[email protected]> --- security/integrity/ima/Kconfig | 7 +++++++ security/integrity/ima/ima.h | 8 ++++++++ security/integrity/ima/ima_fs.c | 18 +++++++++++++++++- security/integrity/ima/ima_init.c | 1 + 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 465cef4..b00044f 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -153,3 +153,10 @@ config IMA_POLICY_LOADER Loading policy is like: echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy + +config IMA_KERNEL_POLICY + bool "Load IMA policy from the kernel" + depends on IMA_POLICY_LOADER + default n + help + This option enables IMA policy loading from the kernel. diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f2722bb..3727cf7 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -179,6 +179,14 @@ static inline ssize_t ima_read_policy(char *data) } #endif +#ifdef CONFIG_IMA_KERNEL_POLICY +void ima_load_policy(char *path); +#else +static inline void ima_load_policy(char *path) +{ +} +#endif + /* Appraise integrity measurements */ #define IMA_APPRAISE_ENFORCE 0x01 #define IMA_APPRAISE_FIX 0x02 diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index bde7a0e..d050a5c 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -319,7 +319,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp) * point to the new policy rules, and remove the securityfs policy file, * assuming a valid policy. */ -static int ima_release_policy(struct inode *inode, struct file *file) +static void ima_check_policy(void) { if (!valid_policy) { ima_delete_rules(); @@ -328,6 +328,11 @@ static int ima_release_policy(struct inode *inode, struct file *file) ima_update_policy(); } clear_bit(IMA_FS_BUSY, &ima_fs_flags); +} + +static int ima_release_policy(struct inode *inode, struct file *file) +{ + ima_check_policy(); return 0; } @@ -338,6 +343,17 @@ static const struct file_operations ima_measure_policy_ops = { .llseek = generic_file_llseek, }; +#ifdef CONFIG_IMA_KERNEL_POLICY +void __init ima_load_policy(char *path) +{ + if (test_and_set_bit(IMA_FS_BUSY, &ima_fs_flags)) + return; + if (ima_read_policy(path) < 0) + valid_policy = 0; + ima_check_policy(); +} +#endif + int __init ima_fs_init(void) { ima_dir = securityfs_create_dir("ima", NULL); diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index c13d6a8..d1a6483 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -109,6 +109,7 @@ int __init ima_init(void) ima_init_policy(); integrity_init_keyring(INTEGRITY_KEYRING_IMA); integrity_load_x509(INTEGRITY_KEYRING_IMA, "/etc/keys/x509_ima.der"); + ima_load_policy("/etc/ima_policy"); return ima_fs_init(); } -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
