aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2018-01-15 11:20:36 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2018-05-22 07:33:53 -0400
commitf1b08bbcbdaf3160fa95ec95a760a49adf312b67 (patch)
tree8eca8887dda0382e801a69102d6c2cce36616d61
parentfa516b66a1bfce1d72f1620c54bdfebc493000d1 (diff)
ima: define a new policy condition based on the filesystem name
If/when file data signatures are distributed with the file data, this patch will not be needed. In the current environment where only some files are signed, the ability to differentiate between file systems is needed. Some file systems consider the file system magic number internal to the file system. This patch defines a new IMA policy condition named "fsname", based on the superblock's file_system_type (sb->s_type) name. This allows policy rules to be expressed in terms of the filesystem name. The following sample rules require file signatures on rootfs files executed or mmap'ed. appraise func=BPRM_CHECK fsname=rootfs appraise_type=imasig appraise func=FILE_MMAP fsname=rootfs appraise_type=imasig Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Dave Chinner <david@fromorbit.com> Cc: Theodore Ts'o <tytso@mit.edu>
Diffstat
-rw-r--r--Documentation/ABI/testing/ima_policy2
-rw-r--r--security/integrity/ima/ima_policy.c25
2 files changed, 25 insertions, 2 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index b8465e00ba5f..74c6702de74e 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -21,7 +21,7 @@ Description:
21 audit | hash | dont_hash 21 audit | hash | dont_hash
22 condition:= base | lsm [option] 22 condition:= base | lsm [option]
23 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] 23 base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
24 [euid=] [fowner=]] 24 [euid=] [fowner=] [fsname=]]
25 lsm: [[subj_user=] [subj_role=] [subj_type=] 25 lsm: [[subj_user=] [subj_role=] [subj_type=]
26 [obj_user=] [obj_role=] [obj_type=]] 26 [obj_user=] [obj_role=] [obj_type=]]
27 option: [[appraise_type=]] [permit_directio] 27 option: [[appraise_type=]] [permit_directio]
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d89bebf85421..03cbba423e59 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -33,6 +33,7 @@
33#define IMA_INMASK 0x0040 33#define IMA_INMASK 0x0040
34#define IMA_EUID 0x0080 34#define IMA_EUID 0x0080
35#define IMA_PCR 0x0100 35#define IMA_PCR 0x0100
36#define IMA_FSNAME 0x0200
36 37
37#define UNKNOWN 0 38#define UNKNOWN 0
38#define MEASURE 0x0001 /* same as IMA_MEASURE */ 39#define MEASURE 0x0001 /* same as IMA_MEASURE */
@@ -74,6 +75,7 @@ struct ima_rule_entry {
74 void *args_p; /* audit value */ 75 void *args_p; /* audit value */
75 int type; /* audit type */ 76 int type; /* audit type */
76 } lsm[MAX_LSM_RULES]; 77 } lsm[MAX_LSM_RULES];
78 char *fsname;
77}; 79};
78 80
79/* 81/*
@@ -273,6 +275,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
273 if ((rule->flags & IMA_FSMAGIC) 275 if ((rule->flags & IMA_FSMAGIC)
274 && rule->fsmagic != inode->i_sb->s_magic) 276 && rule->fsmagic != inode->i_sb->s_magic)
275 return false; 277 return false;
278 if ((rule->flags & IMA_FSNAME)
279 && strcmp(rule->fsname, inode->i_sb->s_type->name))
280 return false;
276 if ((rule->flags & IMA_FSUUID) && 281 if ((rule->flags & IMA_FSUUID) &&
277 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 282 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
278 return false; 283 return false;
@@ -540,7 +545,7 @@ enum {
540 Opt_audit, Opt_hash, Opt_dont_hash, 545 Opt_audit, Opt_hash, Opt_dont_hash,
541 Opt_obj_user, Opt_obj_role, Opt_obj_type, 546 Opt_obj_user, Opt_obj_role, Opt_obj_type,
542 Opt_subj_user, Opt_subj_role, Opt_subj_type, 547 Opt_subj_user, Opt_subj_role, Opt_subj_type,
543 Opt_func, Opt_mask, Opt_fsmagic, 548 Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
544 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 549 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
545 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 550 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
546 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 551 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
@@ -565,6 +570,7 @@ static match_table_t policy_tokens = {
565 {Opt_func, "func=%s"}, 570 {Opt_func, "func=%s"},
566 {Opt_mask, "mask=%s"}, 571 {Opt_mask, "mask=%s"},
567 {Opt_fsmagic, "fsmagic=%s"}, 572 {Opt_fsmagic, "fsmagic=%s"},
573 {Opt_fsname, "fsname=%s"},
568 {Opt_fsuuid, "fsuuid=%s"}, 574 {Opt_fsuuid, "fsuuid=%s"},
569 {Opt_uid_eq, "uid=%s"}, 575 {Opt_uid_eq, "uid=%s"},
570 {Opt_euid_eq, "euid=%s"}, 576 {Opt_euid_eq, "euid=%s"},
@@ -776,6 +782,17 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
776 if (!result) 782 if (!result)
777 entry->flags |= IMA_FSMAGIC; 783 entry->flags |= IMA_FSMAGIC;
778 break; 784 break;
785 case Opt_fsname:
786 ima_log_string(ab, "fsname", args[0].from);
787
788 entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
789 if (!entry->fsname) {
790 result = -ENOMEM;
791 break;
792 }
793 result = 0;
794 entry->flags |= IMA_FSNAME;
795 break;
779 case Opt_fsuuid: 796 case Opt_fsuuid:
780 ima_log_string(ab, "fsuuid", args[0].from); 797 ima_log_string(ab, "fsuuid", args[0].from);
781 798
@@ -1104,6 +1121,12 @@ int ima_policy_show(struct seq_file *m, void *v)
1104 seq_puts(m, " "); 1121 seq_puts(m, " ");
1105 } 1122 }
1106 1123
1124 if (entry->flags & IMA_FSNAME) {
1125 snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1126 seq_printf(m, pt(Opt_fsname), tbuf);
1127 seq_puts(m, " ");
1128 }
1129
1107 if (entry->flags & IMA_PCR) { 1130 if (entry->flags & IMA_PCR) {
1108 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); 1131 snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
1109 seq_printf(m, pt(Opt_pcr), tbuf); 1132 seq_printf(m, pt(Opt_pcr), tbuf);
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-23 19:37:33 -0400