ima: fix updating the ima_appraise flag

As IMA policy rules are added, a mask of the type of rule (eg. kernel modules, firmware, IMA policy) is updated. Unlike custom IMA policy rules, which replace the original builtin policy rules and update the mask, the builtin "secure_boot" policy rules were loaded, but did not update the mask. This patch refactors the code to load custom policies, defining a new function named ima_appraise_flag(). The new function is called either when loading the builtin "secure_boot" or custom policies. Fixes: 503ceaef8e2e ("ima: define a set of appraisal rules requiring file signatures") Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2018-04-12 00:15:22 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2018-05-22 13:16:42 -0400
commit: 6f0911a666d1f99ff72e7848ddee36af7bbce050 (patch)
tree: 5cf7324ad0d10828704a87762b86ca5f845371c3
parent: fd90bc559bfba743ae8de87ff23b92a5e4668062 (diff)
1 files changed, 19 insertions, 9 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 03cbba423e59..8bbc18eb07eb 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -440,6 +440,17 @@ void ima_update_policy_flag(void)
                ima_policy_flag &= ~IMA_APPRAISE;
 }
+static int ima_appraise_flag(enum ima_hooks func)
+{
+        if (func == MODULE_CHECK)
+                return IMA_APPRAISE_MODULES;
+        else if (func == FIRMWARE_CHECK)
+                return IMA_APPRAISE_FIRMWARE;
+        else if (func == POLICY_CHECK)
+                return IMA_APPRAISE_POLICY;
+        return 0;
+}
 /**
 * ima_init_policy - initialize the default measure rules.
 *
@@ -478,9 +489,11 @@ void __init ima_init_policy(void)
         * Insert the appraise rules requiring file signatures, prior to
         * any other appraise rules.
         */
-        for (i = 0; i < secure_boot_entries; i++)
+        for (i = 0; i < secure_boot_entries; i++) {
-                list_add_tail(&secure_boot_rules[i].list,
+                list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
-                              &ima_default_rules);
+                temp_ima_appraise |=
+                    ima_appraise_flag(secure_boot_rules[i].func);
+        }
        for (i = 0; i < appraise_entries; i++) {
                list_add_tail(&default_appraise_rules[i].list,
@@ -934,12 +947,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
        }
        if (!result && (entry->action == UNKNOWN))
                result = -EINVAL;
-        else if (entry->func == MODULE_CHECK)
+        else if (entry->action == APPRAISE)
-                temp_ima_appraise |= IMA_APPRAISE_MODULES;
+                temp_ima_appraise |= ima_appraise_flag(entry->func);
-        else if (entry->func == FIRMWARE_CHECK)
-                temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
-        else if (entry->func == POLICY_CHECK)
-                temp_ima_appraise |= IMA_APPRAISE_POLICY;
        audit_log_format(ab, "res=%d", !result);
        audit_log_end(ab);
        return result;
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2018-04-12 00:15:22 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2018-05-22 13:16:42 -0400
commit	6f0911a666d1f99ff72e7848ddee36af7bbce050 (patch)
tree	5cf7324ad0d10828704a87762b86ca5f845371c3
parent	fd90bc559bfba743ae8de87ff23b92a5e4668062 (diff)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 03cbba423e59..8bbc18eb07eb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -440,6 +440,17 @@ void ima_update_policy_flag(void)
440	ima_policy_flag &= ~IMA_APPRAISE;	440	ima_policy_flag &= ~IMA_APPRAISE;
441	}	441	}
442		442
		443	static int ima_appraise_flag(enum ima_hooks func)
		444	{
		445	if (func == MODULE_CHECK)
		446	return IMA_APPRAISE_MODULES;
		447	else if (func == FIRMWARE_CHECK)
		448	return IMA_APPRAISE_FIRMWARE;
		449	else if (func == POLICY_CHECK)
		450	return IMA_APPRAISE_POLICY;
		451	return 0;
		452	}
		453
443	/**	454	/**
444	* ima_init_policy - initialize the default measure rules.	455	* ima_init_policy - initialize the default measure rules.
445	*	456	*
@@ -478,9 +489,11 @@ void __init ima_init_policy(void)
478	* Insert the appraise rules requiring file signatures, prior to	489	* Insert the appraise rules requiring file signatures, prior to
479	* any other appraise rules.	490	* any other appraise rules.
480	*/	491	*/
481	for (i = 0; i < secure_boot_entries; i++)	492	for (i = 0; i < secure_boot_entries; i++) {
482	list_add_tail(&secure_boot_rules[i].list,	493	list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
483	&ima_default_rules);	494	temp_ima_appraise \|=
		495	ima_appraise_flag(secure_boot_rules[i].func);
		496	}
484		497
485	for (i = 0; i < appraise_entries; i++) {	498	for (i = 0; i < appraise_entries; i++) {
486	list_add_tail(&default_appraise_rules[i].list,	499	list_add_tail(&default_appraise_rules[i].list,
@@ -934,12 +947,9 @@ static int ima_parse_rule(char rule, struct ima_rule_entry entry)
934	}	947	}
935	if (!result && (entry->action == UNKNOWN))	948	if (!result && (entry->action == UNKNOWN))
936	result = -EINVAL;	949	result = -EINVAL;
937	else if (entry->func == MODULE_CHECK)	950	else if (entry->action == APPRAISE)
938	temp_ima_appraise \|= IMA_APPRAISE_MODULES;	951	temp_ima_appraise \|= ima_appraise_flag(entry->func);
939	else if (entry->func == FIRMWARE_CHECK)	952
940	temp_ima_appraise \|= IMA_APPRAISE_FIRMWARE;
941	else if (entry->func == POLICY_CHECK)
942	temp_ima_appraise \|= IMA_APPRAISE_POLICY;
943	audit_log_format(ab, "res=%d", !result);	953	audit_log_format(ab, "res=%d", !result);
944	audit_log_end(ab);	954	audit_log_end(ab);
945	return result;	955	return result;