aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity/ima/ima_fs.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2010-04-20 10:20:54 -0400
committerJames Morris <jmorris@namei.org>2010-04-20 19:58:13 -0400
commit6ccd045630054c99ba1bb35673db12cfcf1eea58 (patch)
treebce41e39722ae178807abe2213fd94e582842bae /security/integrity/ima/ima_fs.c
parenta200005038955057063fc8ea82129ebc785df41c (diff)
ima: handle multiple rules per write
Currently IMA will only accept one rule per write(). This patch allows IMA to accept writes which contain multiple rules but only processes one rule per write. \n is used as the delimiter between rules. IMA will return a short write indicating that it only accepted up to the first \n. This allows simple userspace utilities like cat to be used to load an IMA policy instead of needing a special userspace utility that understood 'one write per rule' Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/integrity/ima/ima_fs.c')
-rw-r--r--security/integrity/ima/ima_fs.c38
1 files changed, 20 insertions, 18 deletions
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 0c72c9c38956..3674a52e1cfb 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -243,32 +243,34 @@ static const struct file_operations ima_ascii_measurements_ops = {
243static ssize_t ima_write_policy(struct file *file, const char __user *buf, 243static ssize_t ima_write_policy(struct file *file, const char __user *buf,
244 size_t datalen, loff_t *ppos) 244 size_t datalen, loff_t *ppos)
245{ 245{
246 char *data; 246 char *data = NULL;
247 int rc; 247 ssize_t result;
248 248
249 if (datalen >= PAGE_SIZE) 249 if (datalen >= PAGE_SIZE)
250 return -ENOMEM; 250 datalen = PAGE_SIZE - 1;
251 if (*ppos != 0) { 251
252 /* No partial writes. */ 252 /* No partial writes. */
253 return -EINVAL; 253 result = -EINVAL;
254 } 254 if (*ppos != 0)
255 goto out;
256
257 result = -ENOMEM;
255 data = kmalloc(datalen + 1, GFP_KERNEL); 258 data = kmalloc(datalen + 1, GFP_KERNEL);
256 if (!data) 259 if (!data)
257 return -ENOMEM; 260 goto out;
258 261
259 if (copy_from_user(data, buf, datalen)) {
260 kfree(data);
261 return -EFAULT;
262 }
263 *(data + datalen) = '\0'; 262 *(data + datalen) = '\0';
264 rc = ima_parse_add_rule(data);
265 if (rc < 0) {
266 datalen = -EINVAL;
267 valid_policy = 0;
268 }
269 263
264 result = -EFAULT;
265 if (copy_from_user(data, buf, datalen))
266 goto out;
267
268 result = ima_parse_add_rule(data);
269out:
270 if (result < 0)
271 valid_policy = 0;
270 kfree(data); 272 kfree(data);
271 return datalen; 273 return result;
272} 274}
273 275
274static struct dentry *ima_dir; 276static struct dentry *ima_dir;