aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>2014-04-11 17:47:01 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2016-02-21 09:34:05 -0500
commit7429b092811fb20c6a5b261c2c116a6a90cb9a29 (patch)
treed0f141c188d413de6e718689e314b5fe6a39a195
parentima: support for kexec image and initramfs (diff)
downloadlinux-dev-7429b092811fb20c6a5b261c2c116a6a90cb9a29.tar.xz
linux-dev-7429b092811fb20c6a5b261c2c116a6a90cb9a29.zip
ima: load policy using path
We currently cannot do appraisal or signature vetting of IMA policies since we currently can only load IMA policies by writing the contents of the policy directly in, as follows: cat policy-file > <securityfs>/ima/policy If we provide the kernel the path to the IMA policy so it can load the policy itself it'd be able to later appraise or vet the file signature if it has one. This patch adds support to load the IMA policy with a given path as follows: echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy Changelog v4+: - moved kernel_read_file_from_path() error messages to callers v3: - moved kernel_read_file_from_path() to a separate patch v2: - after re-ordering the patches, replace calling integrity_kernel_read() to read the file with kernel_read_file_from_path() (Mimi) - Patch description re-written by Luis R. Rodriguez Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r--include/linux/fs.h1
-rw-r--r--security/integrity/ima/ima_fs.c45
2 files changed, 44 insertions, 2 deletions
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 52567252288e..e514f76db04f 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2581,6 +2581,7 @@ enum kernel_read_file_id {
READING_MODULE,
READING_KEXEC_IMAGE,
READING_KEXEC_INITRAMFS,
+ READING_POLICY,
READING_MAX_ID
};
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index f355231997b4..a6c61b351f36 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -22,6 +22,7 @@
#include <linux/rculist.h>
#include <linux/rcupdate.h>
#include <linux/parser.h>
+#include <linux/vmalloc.h>
#include "ima.h"
@@ -258,6 +259,43 @@ static const struct file_operations ima_ascii_measurements_ops = {
.release = seq_release,
};
+static ssize_t ima_read_policy(char *path)
+{
+ void *data;
+ char *datap;
+ loff_t size;
+ int rc, pathlen = strlen(path);
+
+ char *p;
+
+ /* remove \n */
+ datap = path;
+ strsep(&datap, "\n");
+
+ rc = kernel_read_file_from_path(path, &data, &size, 0, READING_POLICY);
+ if (rc < 0) {
+ pr_err("Unable to open file: %s (%d)", path, rc);
+ return rc;
+ }
+
+ datap = data;
+ while (size > 0 && (p = strsep(&datap, "\n"))) {
+ pr_debug("rule: %s\n", p);
+ rc = ima_parse_add_rule(p);
+ if (rc < 0)
+ break;
+ size -= rc;
+ }
+
+ vfree(data);
+ if (rc < 0)
+ return rc;
+ else if (size)
+ return -EINVAL;
+ else
+ return pathlen;
+}
+
static ssize_t ima_write_policy(struct file *file, const char __user *buf,
size_t datalen, loff_t *ppos)
{
@@ -286,9 +324,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
result = mutex_lock_interruptible(&ima_write_mutex);
if (result < 0)
goto out_free;
- result = ima_parse_add_rule(data);
- mutex_unlock(&ima_write_mutex);
+ if (data[0] == '/')
+ result = ima_read_policy(data);
+ else
+ result = ima_parse_add_rule(data);
+ mutex_unlock(&ima_write_mutex);
out_free:
kfree(data);
out: