aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Documentation/ABI/testing/ima_policy2
-rw-r--r--security/integrity/ima/ima_api.c10
-rw-r--r--security/integrity/ima/ima_main.c5
-rw-r--r--security/integrity/ima/ima_policy.c6
-rw-r--r--security/integrity/integrity.h1
5 files changed, 20 insertions, 4 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index f1c5cc9d17a8..4c3efe434806 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -23,7 +23,7 @@ Description:
23 [fowner]] 23 [fowner]]
24 lsm: [[subj_user=] [subj_role=] [subj_type=] 24 lsm: [[subj_user=] [subj_role=] [subj_type=]
25 [obj_user=] [obj_role=] [obj_type=]] 25 [obj_user=] [obj_role=] [obj_type=]]
26 option: [[appraise_type=]] 26 option: [[appraise_type=]] [permit_directio]
27 27
28 base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] 28 base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
29 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] 29 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index ba9e4d792dd5..d9cd5ce14d2b 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
199 struct evm_ima_xattr_data **xattr_value, 199 struct evm_ima_xattr_data **xattr_value,
200 int *xattr_len) 200 int *xattr_len)
201{ 201{
202 const char *audit_cause = "failed";
202 struct inode *inode = file_inode(file); 203 struct inode *inode = file_inode(file);
203 const char *filename = file->f_dentry->d_name.name; 204 const char *filename = file->f_dentry->d_name.name;
204 int result = 0; 205 int result = 0;
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
213 if (!(iint->flags & IMA_COLLECTED)) { 214 if (!(iint->flags & IMA_COLLECTED)) {
214 u64 i_version = file_inode(file)->i_version; 215 u64 i_version = file_inode(file)->i_version;
215 216
217 if (file->f_flags & O_DIRECT) {
218 audit_cause = "failed(directio)";
219 result = -EACCES;
220 goto out;
221 }
222
216 /* use default hash algorithm */ 223 /* use default hash algorithm */
217 hash.hdr.algo = ima_hash_algo; 224 hash.hdr.algo = ima_hash_algo;
218 225
@@ -233,9 +240,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
233 result = -ENOMEM; 240 result = -ENOMEM;
234 } 241 }
235 } 242 }
243out:
236 if (result) 244 if (result)
237 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, 245 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
238 filename, "collect_data", "failed", 246 filename, "collect_data", audit_cause,
239 result, 0); 247 result, 0);
240 return result; 248 return result;
241} 249}
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 52ac6cf41f88..dcc98cf542d8 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file, const char *filename,
214 xattr_ptr = &xattr_value; 214 xattr_ptr = &xattr_value;
215 215
216 rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len); 216 rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
217 if (rc != 0) 217 if (rc != 0) {
218 if (file->f_flags & O_DIRECT)
219 rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
218 goto out_digsig; 220 goto out_digsig;
221 }
219 222
220 pathname = filename ?: ima_d_path(&file->f_path, &pathbuf); 223 pathname = filename ?: ima_d_path(&file->f_path, &pathbuf);
221 224
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 93873a450ff7..40a7488f6721 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -353,7 +353,7 @@ enum {
353 Opt_obj_user, Opt_obj_role, Opt_obj_type, 353 Opt_obj_user, Opt_obj_role, Opt_obj_type,
354 Opt_subj_user, Opt_subj_role, Opt_subj_type, 354 Opt_subj_user, Opt_subj_role, Opt_subj_type,
355 Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, 355 Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
356 Opt_appraise_type, Opt_fsuuid 356 Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
357}; 357};
358 358
359static match_table_t policy_tokens = { 359static match_table_t policy_tokens = {
@@ -375,6 +375,7 @@ static match_table_t policy_tokens = {
375 {Opt_uid, "uid=%s"}, 375 {Opt_uid, "uid=%s"},
376 {Opt_fowner, "fowner=%s"}, 376 {Opt_fowner, "fowner=%s"},
377 {Opt_appraise_type, "appraise_type=%s"}, 377 {Opt_appraise_type, "appraise_type=%s"},
378 {Opt_permit_directio, "permit_directio"},
378 {Opt_err, NULL} 379 {Opt_err, NULL}
379}; 380};
380 381
@@ -622,6 +623,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
622 else 623 else
623 result = -EINVAL; 624 result = -EINVAL;
624 break; 625 break;
626 case Opt_permit_directio:
627 entry->flags |= IMA_PERMIT_DIRECTIO;
628 break;
625 case Opt_err: 629 case Opt_err:
626 ima_log_string(ab, "UNKNOWN", p); 630 ima_log_string(ab, "UNKNOWN", p);
627 result = -EINVAL; 631 result = -EINVAL;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 2fb5e53e927f..33c0a70f6b15 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -30,6 +30,7 @@
30#define IMA_ACTION_FLAGS 0xff000000 30#define IMA_ACTION_FLAGS 0xff000000
31#define IMA_DIGSIG 0x01000000 31#define IMA_DIGSIG 0x01000000
32#define IMA_DIGSIG_REQUIRED 0x02000000 32#define IMA_DIGSIG_REQUIRED 0x02000000
33#define IMA_PERMIT_DIRECTIO 0x04000000
33 34
34#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ 35#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
35 IMA_APPRAISE_SUBMASK) 36 IMA_APPRAISE_SUBMASK)
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-17 22:27:28 -0500