ima: re-initialize IMA policy LSM info

Although the IMA policy does not change, the LSM policy can be reloaded, leaving the IMA LSM based rules referring to the old, stale LSM policy. This patch updates the IMA LSM based rules to reflect the reloaded LSM policy. Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be> tested-by: Sven Vermeulen <sven.vermeulen@siphos.be> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Eric Paris <eparis@parisplace.org> Cc: Casey Schaufler <casey@schaufler-ca.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-01-03 14:19:09 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-01-16 15:47:03 -0500
commit: 7163a993840f0906d4ce1e3f193575c99dac21e1 (patch)
tree: 3c1c04f5da24cf2492b20b861c9974549978436c /security
parent: cf9ce948f47640797bd19980e1d99c6d17d0bdc3 (diff)
1 files changed, 58 insertions, 10 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index af7d182d5a46..70f888de880d 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -49,6 +49,7 @@ struct ima_rule_entry {
        kuid_t fowner;
        struct {
                void *rule;     /* LSM file metadata specific */
+                void *args_p;   /* audit value */
                int type;       /* audit type */
        } lsm[MAX_LSM_RULES];
 };
@@ -119,6 +120,35 @@ static int __init default_appraise_policy_setup(char *str)
 }
 __setup("ima_appraise_tcb", default_appraise_policy_setup);
+/* 
+ * Although the IMA policy does not change, the LSM policy can be
+ * reloaded, leaving the IMA LSM based rules referring to the old,
+ * stale LSM policy.
+ *
+ * Update the IMA LSM based rules to reflect the reloaded LSM policy. 
+ * We assume the rules still exist; and BUG_ON() if they don't.
+ */
+static void ima_lsm_update_rules(void)
+{
+        struct ima_rule_entry *entry, *tmp;
+        int result;
+        int i;
+        mutex_lock(&ima_rules_mutex);
+        list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
+                for (i = 0; i < MAX_LSM_RULES; i++) {
+                        if (!entry->lsm[i].rule)
+                                continue;
+                        result = security_filter_rule_init(entry->lsm[i].type,
+                                                           Audit_equal,
+                                                           entry->lsm[i].args_p,
+                                                           &entry->lsm[i].rule);
+                        BUG_ON(!entry->lsm[i].rule);
+                }
+        }
+        mutex_unlock(&ima_rules_mutex);
+}
 /**
 * ima_match_rules - determine whether an inode matches the measure rule.
 * @rule: a pointer to a rule
@@ -149,10 +179,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
        for (i = 0; i < MAX_LSM_RULES; i++) {
                int rc = 0;
                u32 osid, sid;
+                int retried = 0;
                if (!rule->lsm[i].rule)
                        continue;
+retry:
                switch (i) {
                case LSM_OBJ_USER:
                case LSM_OBJ_ROLE:
@@ -176,6 +207,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
                default:
                        break;
                }
+                if ((rc < 0) && (!retried)) {
+                        retried = 1;
+                        ima_lsm_update_rules();
+                        goto retry;
+                } 
                if (!rc)
                        return false;
        }
@@ -306,19 +342,27 @@ static match_table_t policy_tokens = {
 };
 static int ima_lsm_rule_init(struct ima_rule_entry *entry,
-                             char *args, int lsm_rule, int audit_type)
+                             substring_t *args, int lsm_rule, int audit_type)
 {
        int result;
        if (entry->lsm[lsm_rule].rule)
                return -EINVAL;
+        entry->lsm[lsm_rule].args_p = match_strdup(args);
+        if (!entry->lsm[lsm_rule].args_p)
+                return -ENOMEM;
        entry->lsm[lsm_rule].type = audit_type;
        result = security_filter_rule_init(entry->lsm[lsm_rule].type,
-                                           Audit_equal, args,
+                                           Audit_equal,
+                                           entry->lsm[lsm_rule].args_p,
                                           &entry->lsm[lsm_rule].rule);
-        if (!entry->lsm[lsm_rule].rule)
+        if (!entry->lsm[lsm_rule].rule) {
+                kfree(entry->lsm[lsm_rule].args_p);
                return -EINVAL;
+        }
        return result;
 }
@@ -481,37 +525,37 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                        break;
                case Opt_obj_user:
                        ima_log_string(ab, "obj_user", args[0].from);
-                        result = ima_lsm_rule_init(entry, args[0].from,
+                        result = ima_lsm_rule_init(entry, args,
                                                   LSM_OBJ_USER,
                                                   AUDIT_OBJ_USER);
                        break;
                case Opt_obj_role:
                        ima_log_string(ab, "obj_role", args[0].from);
-                        result = ima_lsm_rule_init(entry, args[0].from,
+                        result = ima_lsm_rule_init(entry, args,
                                                   LSM_OBJ_ROLE,
                                                   AUDIT_OBJ_ROLE);
                        break;
                case Opt_obj_type:
                        ima_log_string(ab, "obj_type", args[0].from);
-                        result = ima_lsm_rule_init(entry, args[0].from,
+                        result = ima_lsm_rule_init(entry, args,
                                                   LSM_OBJ_TYPE,
                                                   AUDIT_OBJ_TYPE);
                        break;
                case Opt_subj_user:
                        ima_log_string(ab, "subj_user", args[0].from);
-                        result = ima_lsm_rule_init(entry, args[0].from,
+                        result = ima_lsm_rule_init(entry, args,
                                                   LSM_SUBJ_USER,
                                                   AUDIT_SUBJ_USER);
                        break;
                case Opt_subj_role:
                        ima_log_string(ab, "subj_role", args[0].from);
-                        result = ima_lsm_rule_init(entry, args[0].from,
+                        result = ima_lsm_rule_init(entry, args,
                                                   LSM_SUBJ_ROLE,
                                                   AUDIT_SUBJ_ROLE);
                        break;
                case Opt_subj_type:
                        ima_log_string(ab, "subj_type", args[0].from);
-                        result = ima_lsm_rule_init(entry, args[0].from,
+                        result = ima_lsm_rule_init(entry, args,
                                                   LSM_SUBJ_TYPE,
                                                   AUDIT_SUBJ_TYPE);
                        break;
@@ -589,9 +633,13 @@ ssize_t ima_parse_add_rule(char *rule)
 void ima_delete_rules(void)
 {
        struct ima_rule_entry *entry, *tmp;
+        int i;
        mutex_lock(&ima_rules_mutex);
        list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
+                for (i = 0; i < MAX_LSM_RULES; i++)
+                        kfree(entry->lsm[i].args_p);
                list_del(&entry->list);
                kfree(entry);
        }
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2013-01-03 14:19:09 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2013-01-16 15:47:03 -0500
commit	7163a993840f0906d4ce1e3f193575c99dac21e1 (patch)
tree	3c1c04f5da24cf2492b20b861c9974549978436c /security
parent	cf9ce948f47640797bd19980e1d99c6d17d0bdc3 (diff)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index af7d182d5a46..70f888de880d 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -49,6 +49,7 @@ struct ima_rule_entry {
49	kuid_t fowner;	49	kuid_t fowner;
50	struct {	50	struct {
51	void rule; / LSM file metadata specific */	51	void rule; / LSM file metadata specific */
		52	void args_p; / audit value */
52	int type; /* audit type */	53	int type; /* audit type */
53	} lsm[MAX_LSM_RULES];	54	} lsm[MAX_LSM_RULES];
54	};	55	};
@@ -119,6 +120,35 @@ static int __init default_appraise_policy_setup(char *str)
119	}	120	}
120	__setup("ima_appraise_tcb", default_appraise_policy_setup);	121	__setup("ima_appraise_tcb", default_appraise_policy_setup);
121		122
		123	/*
		124	* Although the IMA policy does not change, the LSM policy can be
		125	* reloaded, leaving the IMA LSM based rules referring to the old,
		126	* stale LSM policy.
		127	*
		128	* Update the IMA LSM based rules to reflect the reloaded LSM policy.
		129	* We assume the rules still exist; and BUG_ON() if they don't.
		130	*/
		131	static void ima_lsm_update_rules(void)
		132	{
		133	struct ima_rule_entry entry, tmp;
		134	int result;
		135	int i;
		136
		137	mutex_lock(&ima_rules_mutex);
		138	list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
		139	for (i = 0; i < MAX_LSM_RULES; i++) {
		140	if (!entry->lsm[i].rule)
		141	continue;
		142	result = security_filter_rule_init(entry->lsm[i].type,
		143	Audit_equal,
		144	entry->lsm[i].args_p,
		145	&entry->lsm[i].rule);
		146	BUG_ON(!entry->lsm[i].rule);
		147	}
		148	}
		149	mutex_unlock(&ima_rules_mutex);
		150	}
		151
122	/**	152	/**
123	* ima_match_rules - determine whether an inode matches the measure rule.	153	* ima_match_rules - determine whether an inode matches the measure rule.
124	* @rule: a pointer to a rule	154	* @rule: a pointer to a rule
@@ -149,10 +179,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
149	for (i = 0; i < MAX_LSM_RULES; i++) {	179	for (i = 0; i < MAX_LSM_RULES; i++) {
150	int rc = 0;	180	int rc = 0;
151	u32 osid, sid;	181	u32 osid, sid;
		182	int retried = 0;
152		183
153	if (!rule->lsm[i].rule)	184	if (!rule->lsm[i].rule)
154	continue;	185	continue;
155		186	retry:
156	switch (i) {	187	switch (i) {
157	case LSM_OBJ_USER:	188	case LSM_OBJ_USER:
158	case LSM_OBJ_ROLE:	189	case LSM_OBJ_ROLE:
@@ -176,6 +207,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
176	default:	207	default:
177	break;	208	break;
178	}	209	}
		210	if ((rc < 0) && (!retried)) {
		211	retried = 1;
		212	ima_lsm_update_rules();
		213	goto retry;
		214	}
179	if (!rc)	215	if (!rc)
180	return false;	216	return false;
181	}	217	}
@@ -306,19 +342,27 @@ static match_table_t policy_tokens = {
306	};	342	};
307		343
308	static int ima_lsm_rule_init(struct ima_rule_entry *entry,	344	static int ima_lsm_rule_init(struct ima_rule_entry *entry,
309	char *args, int lsm_rule, int audit_type)	345	substring_t *args, int lsm_rule, int audit_type)
310	{	346	{
311	int result;	347	int result;
312		348
313	if (entry->lsm[lsm_rule].rule)	349	if (entry->lsm[lsm_rule].rule)
314	return -EINVAL;	350	return -EINVAL;
315		351
		352	entry->lsm[lsm_rule].args_p = match_strdup(args);
		353	if (!entry->lsm[lsm_rule].args_p)
		354	return -ENOMEM;
		355
316	entry->lsm[lsm_rule].type = audit_type;	356	entry->lsm[lsm_rule].type = audit_type;
317	result = security_filter_rule_init(entry->lsm[lsm_rule].type,	357	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
318	Audit_equal, args,	358	Audit_equal,
		359	entry->lsm[lsm_rule].args_p,
319	&entry->lsm[lsm_rule].rule);	360	&entry->lsm[lsm_rule].rule);
320	if (!entry->lsm[lsm_rule].rule)	361	if (!entry->lsm[lsm_rule].rule) {
		362	kfree(entry->lsm[lsm_rule].args_p);
321	return -EINVAL;	363	return -EINVAL;
		364	}
		365
322	return result;	366	return result;
323	}	367	}
324		368
@@ -481,37 +525,37 @@ static int ima_parse_rule(char rule, struct ima_rule_entry entry)
481	break;	525	break;
482	case Opt_obj_user:	526	case Opt_obj_user:
483	ima_log_string(ab, "obj_user", args[0].from);	527	ima_log_string(ab, "obj_user", args[0].from);
484	result = ima_lsm_rule_init(entry, args[0].from,	528	result = ima_lsm_rule_init(entry, args,
485	LSM_OBJ_USER,	529	LSM_OBJ_USER,
486	AUDIT_OBJ_USER);	530	AUDIT_OBJ_USER);
487	break;	531	break;
488	case Opt_obj_role:	532	case Opt_obj_role:
489	ima_log_string(ab, "obj_role", args[0].from);	533	ima_log_string(ab, "obj_role", args[0].from);
490	result = ima_lsm_rule_init(entry, args[0].from,	534	result = ima_lsm_rule_init(entry, args,
491	LSM_OBJ_ROLE,	535	LSM_OBJ_ROLE,
492	AUDIT_OBJ_ROLE);	536	AUDIT_OBJ_ROLE);
493	break;	537	break;
494	case Opt_obj_type:	538	case Opt_obj_type:
495	ima_log_string(ab, "obj_type", args[0].from);	539	ima_log_string(ab, "obj_type", args[0].from);
496	result = ima_lsm_rule_init(entry, args[0].from,	540	result = ima_lsm_rule_init(entry, args,
497	LSM_OBJ_TYPE,	541	LSM_OBJ_TYPE,
498	AUDIT_OBJ_TYPE);	542	AUDIT_OBJ_TYPE);
499	break;	543	break;
500	case Opt_subj_user:	544	case Opt_subj_user:
501	ima_log_string(ab, "subj_user", args[0].from);	545	ima_log_string(ab, "subj_user", args[0].from);
502	result = ima_lsm_rule_init(entry, args[0].from,	546	result = ima_lsm_rule_init(entry, args,
503	LSM_SUBJ_USER,	547	LSM_SUBJ_USER,
504	AUDIT_SUBJ_USER);	548	AUDIT_SUBJ_USER);
505	break;	549	break;
506	case Opt_subj_role:	550	case Opt_subj_role:
507	ima_log_string(ab, "subj_role", args[0].from);	551	ima_log_string(ab, "subj_role", args[0].from);
508	result = ima_lsm_rule_init(entry, args[0].from,	552	result = ima_lsm_rule_init(entry, args,
509	LSM_SUBJ_ROLE,	553	LSM_SUBJ_ROLE,
510	AUDIT_SUBJ_ROLE);	554	AUDIT_SUBJ_ROLE);
511	break;	555	break;
512	case Opt_subj_type:	556	case Opt_subj_type:
513	ima_log_string(ab, "subj_type", args[0].from);	557	ima_log_string(ab, "subj_type", args[0].from);
514	result = ima_lsm_rule_init(entry, args[0].from,	558	result = ima_lsm_rule_init(entry, args,
515	LSM_SUBJ_TYPE,	559	LSM_SUBJ_TYPE,
516	AUDIT_SUBJ_TYPE);	560	AUDIT_SUBJ_TYPE);
517	break;	561	break;
@@ -589,9 +633,13 @@ ssize_t ima_parse_add_rule(char *rule)
589	void ima_delete_rules(void)	633	void ima_delete_rules(void)
590	{	634	{
591	struct ima_rule_entry entry, tmp;	635	struct ima_rule_entry entry, tmp;
		636	int i;
592		637
593	mutex_lock(&ima_rules_mutex);	638	mutex_lock(&ima_rules_mutex);
594	list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {	639	list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
		640	for (i = 0; i < MAX_LSM_RULES; i++)
		641	kfree(entry->lsm[i].args_p);
		642
595	list_del(&entry->list);	643	list_del(&entry->list);
596	kfree(entry);	644	kfree(entry);
597	}	645	}