diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2012-10-15 22:10:08 -0400 |
---|---|---|
committer | Rusty Russell <rusty@rustcorp.com.au> | 2012-12-13 21:35:26 -0500 |
commit | fdf90729e57812cb12d7938e2dee7c71e875fb08 (patch) | |
tree | 0ec17c765406dedc37ac278823d50587d53d1525 /security/integrity | |
parent | 1625cee56f8e6193b5a0809a414dfa395bd9cf1e (diff) |
ima: support new kernel module syscall
With the addition of the new kernel module syscall, which defines two
arguments - a file descriptor to the kernel module and a pointer to a NULL
terminated string of module arguments - it is now possible to measure and
appraise kernel modules like any other file on the file system.
This patch adds support to measure and appraise kernel modules in an
extensible and consistent manner.
To support filesystems without extended attribute support, additional
patches could pass the signature as the first parameter.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/ima/ima.h | 2 | ||||
-rw-r--r-- | security/integrity/ima/ima_api.c | 4 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 21 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 3 |
4 files changed, 27 insertions, 3 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 6ee8826662cc..3b2adb794f15 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
@@ -127,7 +127,7 @@ struct integrity_iint_cache *integrity_iint_insert(struct inode *inode); | |||
127 | struct integrity_iint_cache *integrity_iint_find(struct inode *inode); | 127 | struct integrity_iint_cache *integrity_iint_find(struct inode *inode); |
128 | 128 | ||
129 | /* IMA policy related functions */ | 129 | /* IMA policy related functions */ |
130 | enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK, POST_SETATTR }; | 130 | enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK, MODULE_CHECK, POST_SETATTR }; |
131 | 131 | ||
132 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, | 132 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, |
133 | int flags); | 133 | int flags); |
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index b356884fb3ef..0cea3db21657 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
@@ -100,12 +100,12 @@ err_out: | |||
100 | * ima_get_action - appraise & measure decision based on policy. | 100 | * ima_get_action - appraise & measure decision based on policy. |
101 | * @inode: pointer to inode to measure | 101 | * @inode: pointer to inode to measure |
102 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) | 102 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) |
103 | * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP) | 103 | * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP, MODULE_CHECK) |
104 | * | 104 | * |
105 | * The policy is defined in terms of keypairs: | 105 | * The policy is defined in terms of keypairs: |
106 | * subj=, obj=, type=, func=, mask=, fsmagic= | 106 | * subj=, obj=, type=, func=, mask=, fsmagic= |
107 | * subj,obj, and type: are LSM specific. | 107 | * subj,obj, and type: are LSM specific. |
108 | * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP | 108 | * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP | MODULE_CHECK |
109 | * mask: contains the permission mask | 109 | * mask: contains the permission mask |
110 | * fsmagic: hex value | 110 | * fsmagic: hex value |
111 | * | 111 | * |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 73c9a268253e..45de18e9a6f2 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
@@ -280,6 +280,27 @@ int ima_file_check(struct file *file, int mask) | |||
280 | } | 280 | } |
281 | EXPORT_SYMBOL_GPL(ima_file_check); | 281 | EXPORT_SYMBOL_GPL(ima_file_check); |
282 | 282 | ||
283 | /** | ||
284 | * ima_module_check - based on policy, collect/store/appraise measurement. | ||
285 | * @file: pointer to the file to be measured/appraised | ||
286 | * | ||
287 | * Measure/appraise kernel modules based on policy. | ||
288 | * | ||
289 | * Always return 0 and audit dentry_open failures. | ||
290 | * Return code is based upon measurement appraisal. | ||
291 | */ | ||
292 | int ima_module_check(struct file *file) | ||
293 | { | ||
294 | int rc; | ||
295 | |||
296 | if (!file) | ||
297 | rc = INTEGRITY_UNKNOWN; | ||
298 | else | ||
299 | rc = process_measurement(file, file->f_dentry->d_name.name, | ||
300 | MAY_EXEC, MODULE_CHECK); | ||
301 | return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; | ||
302 | } | ||
303 | |||
283 | static int __init init_ima(void) | 304 | static int __init init_ima(void) |
284 | { | 305 | { |
285 | int error; | 306 | int error; |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c7dacd2eab7a..af7d182d5a46 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
@@ -80,6 +80,7 @@ static struct ima_rule_entry default_rules[] = { | |||
80 | .flags = IMA_FUNC | IMA_MASK}, | 80 | .flags = IMA_FUNC | IMA_MASK}, |
81 | {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID, | 81 | {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID, |
82 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, | 82 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, |
83 | {.action = MEASURE,.func = MODULE_CHECK, .flags = IMA_FUNC}, | ||
83 | }; | 84 | }; |
84 | 85 | ||
85 | static struct ima_rule_entry default_appraise_rules[] = { | 86 | static struct ima_rule_entry default_appraise_rules[] = { |
@@ -401,6 +402,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) | |||
401 | /* PATH_CHECK is for backwards compat */ | 402 | /* PATH_CHECK is for backwards compat */ |
402 | else if (strcmp(args[0].from, "PATH_CHECK") == 0) | 403 | else if (strcmp(args[0].from, "PATH_CHECK") == 0) |
403 | entry->func = FILE_CHECK; | 404 | entry->func = FILE_CHECK; |
405 | else if (strcmp(args[0].from, "MODULE_CHECK") == 0) | ||
406 | entry->func = MODULE_CHECK; | ||
404 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) | 407 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) |
405 | entry->func = FILE_MMAP; | 408 | entry->func = FILE_MMAP; |
406 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) | 409 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) |