From: Dmitry Kasatkin <d.kasat...@samsung.com>
We currently cannot do appraisal or signature vetting of IMA policies
since we currently can only load IMA policies by writing the contents
of the policy directly in, as follows:
cat policy-file > <securityfs>/ima/policy
If we provide the kernel the path to the IMA policy so it can load
the policy itself it'd be able to later appraise or vet the file
signature if it has one. This patch adds support to load the IMA
policy with a given path as follows:
echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
Changelog v2:
- Patch description re-written by Luis R. Rodriguez
Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/iint.c | 4 +---
security/integrity/ima/ima_fs.c | 39 ++++++++++++++++++++++++++++++++++++++-
security/integrity/integrity.h | 2 +-
3 files changed, 40 insertions(+), 5 deletions(-)
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 2de9c82..54b51a4 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -203,10 +203,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
* This is function opens a file, allocates the buffer of required
* size, read entire file content to the buffer and closes the file
*
- * It is used only by init code.
- *
*/
-int __init integrity_read_file(const char *path, char **data)
+int integrity_read_file(const char *path, char **data)
{
struct file *file;
loff_t size;
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index eebb985..f902b6b 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -258,6 +258,40 @@ static const struct file_operations
ima_ascii_measurements_ops = {
.release = seq_release,
};
+static ssize_t ima_read_policy(char *path)
+{
+ char *data, *datap;
+ int rc, size, pathlen = strlen(path);
+ char *p;
+
+ /* remove \n */
+ datap = path;
+ strsep(&datap, "\n");
+
+ rc = integrity_read_file(path, &data);
+ if (rc < 0)
+ return rc;
+
+ size = rc;
+ datap = data;
+
+ while (size > 0 && (p = strsep(&datap, "\n"))) {
+ pr_debug("rule: %s\n", p);
+ rc = ima_parse_add_rule(p);
+ if (rc < 0)
+ break;
+ size -= rc;
+ }
+
+ kfree(data);
+ if (rc < 0)
+ return rc;
+ else if (size)
+ return -EINVAL;
+ else
+ return pathlen;
+}
+
static ssize_t ima_write_policy(struct file *file, const char __user *buf,
size_t datalen, loff_t *ppos)
{
@@ -288,7 +322,10 @@ static ssize_t ima_write_policy(struct file *file, const
char __user *buf,
if (copy_from_user(data, buf, datalen))
goto out;
- result = ima_parse_add_rule(data);
+ if (data[0] == '/')
+ result = ima_read_policy(data);
+ else
+ result = ima_parse_add_rule(data);
out:
if (result < 0)
valid_policy = 0;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 5efe2ec..5413f22 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -122,7 +122,7 @@ struct integrity_iint_cache *integrity_iint_find(struct
inode *inode);
int integrity_kernel_read(struct file *file, loff_t offset,
char *addr, unsigned long count);
-int __init integrity_read_file(const char *path, char **data);
+int integrity_read_file(const char *path, char **data);
#define INTEGRITY_KEYRING_EVM 0
#define INTEGRITY_KEYRING_IMA 1
--
2.1.0
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
