diff options
| -rw-r--r-- | Documentation/ABI/testing/ima_policy | 3 | ||||
| -rw-r--r-- | include/linux/ima.h | 6 | ||||
| -rw-r--r-- | security/integrity/ima/ima.h | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_api.c | 4 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 21 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 3 | ||||
| -rw-r--r-- | security/security.c | 7 |
7 files changed, 41 insertions, 5 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 986946613542..ec0a38ef3145 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy | |||
| @@ -23,7 +23,7 @@ Description: | |||
| 23 | lsm: [[subj_user=] [subj_role=] [subj_type=] | 23 | lsm: [[subj_user=] [subj_role=] [subj_type=] |
| 24 | [obj_user=] [obj_role=] [obj_type=]] | 24 | [obj_user=] [obj_role=] [obj_type=]] |
| 25 | 25 | ||
| 26 | base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK] | 26 | base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK][MODULE_CHECK] |
| 27 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] | 27 | mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] |
| 28 | fsmagic:= hex value | 28 | fsmagic:= hex value |
| 29 | uid:= decimal value | 29 | uid:= decimal value |
| @@ -53,6 +53,7 @@ Description: | |||
| 53 | measure func=BPRM_CHECK | 53 | measure func=BPRM_CHECK |
| 54 | measure func=FILE_MMAP mask=MAY_EXEC | 54 | measure func=FILE_MMAP mask=MAY_EXEC |
| 55 | measure func=FILE_CHECK mask=MAY_READ uid=0 | 55 | measure func=FILE_CHECK mask=MAY_READ uid=0 |
| 56 | measure func=MODULE_CHECK uid=0 | ||
| 56 | appraise fowner=0 | 57 | appraise fowner=0 |
| 57 | 58 | ||
| 58 | The default policy measures all executables in bprm_check, | 59 | The default policy measures all executables in bprm_check, |
diff --git a/include/linux/ima.h b/include/linux/ima.h index 2c7223d7e73b..86c361e947b9 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h | |||
| @@ -18,6 +18,7 @@ extern int ima_bprm_check(struct linux_binprm *bprm); | |||
| 18 | extern int ima_file_check(struct file *file, int mask); | 18 | extern int ima_file_check(struct file *file, int mask); |
| 19 | extern void ima_file_free(struct file *file); | 19 | extern void ima_file_free(struct file *file); |
| 20 | extern int ima_file_mmap(struct file *file, unsigned long prot); | 20 | extern int ima_file_mmap(struct file *file, unsigned long prot); |
| 21 | extern int ima_module_check(struct file *file); | ||
| 21 | 22 | ||
| 22 | #else | 23 | #else |
| 23 | static inline int ima_bprm_check(struct linux_binprm *bprm) | 24 | static inline int ima_bprm_check(struct linux_binprm *bprm) |
| @@ -40,6 +41,11 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot) | |||
| 40 | return 0; | 41 | return 0; |
| 41 | } | 42 | } |
| 42 | 43 | ||
| 44 | static inline int ima_module_check(struct file *file) | ||
| 45 | { | ||
| 46 | return 0; | ||
| 47 | } | ||
| 48 | |||
| 43 | #endif /* CONFIG_IMA_H */ | 49 | #endif /* CONFIG_IMA_H */ |
| 44 | 50 | ||
| 45 | #ifdef CONFIG_IMA_APPRAISE | 51 | #ifdef CONFIG_IMA_APPRAISE |
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 6ee8826662cc..3b2adb794f15 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
| @@ -127,7 +127,7 @@ struct integrity_iint_cache *integrity_iint_insert(struct inode *inode); | |||
| 127 | struct integrity_iint_cache *integrity_iint_find(struct inode *inode); | 127 | struct integrity_iint_cache *integrity_iint_find(struct inode *inode); |
| 128 | 128 | ||
| 129 | /* IMA policy related functions */ | 129 | /* IMA policy related functions */ |
| 130 | enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK, POST_SETATTR }; | 130 | enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK, MODULE_CHECK, POST_SETATTR }; |
| 131 | 131 | ||
| 132 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, | 132 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, |
| 133 | int flags); | 133 | int flags); |
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index b356884fb3ef..0cea3db21657 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
| @@ -100,12 +100,12 @@ err_out: | |||
| 100 | * ima_get_action - appraise & measure decision based on policy. | 100 | * ima_get_action - appraise & measure decision based on policy. |
| 101 | * @inode: pointer to inode to measure | 101 | * @inode: pointer to inode to measure |
| 102 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) | 102 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) |
| 103 | * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP) | 103 | * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP, MODULE_CHECK) |
| 104 | * | 104 | * |
| 105 | * The policy is defined in terms of keypairs: | 105 | * The policy is defined in terms of keypairs: |
| 106 | * subj=, obj=, type=, func=, mask=, fsmagic= | 106 | * subj=, obj=, type=, func=, mask=, fsmagic= |
| 107 | * subj,obj, and type: are LSM specific. | 107 | * subj,obj, and type: are LSM specific. |
| 108 | * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP | 108 | * func: FILE_CHECK | BPRM_CHECK | FILE_MMAP | MODULE_CHECK |
| 109 | * mask: contains the permission mask | 109 | * mask: contains the permission mask |
| 110 | * fsmagic: hex value | 110 | * fsmagic: hex value |
| 111 | * | 111 | * |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 73c9a268253e..45de18e9a6f2 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -280,6 +280,27 @@ int ima_file_check(struct file *file, int mask) | |||
| 280 | } | 280 | } |
| 281 | EXPORT_SYMBOL_GPL(ima_file_check); | 281 | EXPORT_SYMBOL_GPL(ima_file_check); |
| 282 | 282 | ||
| 283 | /** | ||
| 284 | * ima_module_check - based on policy, collect/store/appraise measurement. | ||
| 285 | * @file: pointer to the file to be measured/appraised | ||
| 286 | * | ||
| 287 | * Measure/appraise kernel modules based on policy. | ||
| 288 | * | ||
| 289 | * Always return 0 and audit dentry_open failures. | ||
| 290 | * Return code is based upon measurement appraisal. | ||
| 291 | */ | ||
| 292 | int ima_module_check(struct file *file) | ||
| 293 | { | ||
| 294 | int rc; | ||
| 295 | |||
| 296 | if (!file) | ||
| 297 | rc = INTEGRITY_UNKNOWN; | ||
| 298 | else | ||
| 299 | rc = process_measurement(file, file->f_dentry->d_name.name, | ||
| 300 | MAY_EXEC, MODULE_CHECK); | ||
| 301 | return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; | ||
| 302 | } | ||
| 303 | |||
| 283 | static int __init init_ima(void) | 304 | static int __init init_ima(void) |
| 284 | { | 305 | { |
| 285 | int error; | 306 | int error; |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c7dacd2eab7a..af7d182d5a46 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -80,6 +80,7 @@ static struct ima_rule_entry default_rules[] = { | |||
| 80 | .flags = IMA_FUNC | IMA_MASK}, | 80 | .flags = IMA_FUNC | IMA_MASK}, |
| 81 | {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID, | 81 | {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID, |
| 82 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, | 82 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, |
| 83 | {.action = MEASURE,.func = MODULE_CHECK, .flags = IMA_FUNC}, | ||
| 83 | }; | 84 | }; |
| 84 | 85 | ||
| 85 | static struct ima_rule_entry default_appraise_rules[] = { | 86 | static struct ima_rule_entry default_appraise_rules[] = { |
| @@ -401,6 +402,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) | |||
| 401 | /* PATH_CHECK is for backwards compat */ | 402 | /* PATH_CHECK is for backwards compat */ |
| 402 | else if (strcmp(args[0].from, "PATH_CHECK") == 0) | 403 | else if (strcmp(args[0].from, "PATH_CHECK") == 0) |
| 403 | entry->func = FILE_CHECK; | 404 | entry->func = FILE_CHECK; |
| 405 | else if (strcmp(args[0].from, "MODULE_CHECK") == 0) | ||
| 406 | entry->func = MODULE_CHECK; | ||
| 404 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) | 407 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) |
| 405 | entry->func = FILE_MMAP; | 408 | entry->func = FILE_MMAP; |
| 406 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) | 409 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) |
diff --git a/security/security.c b/security/security.c index ce88630de15d..daa97f4ac9d1 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -822,7 +822,12 @@ int security_kernel_module_request(char *kmod_name) | |||
| 822 | 822 | ||
| 823 | int security_kernel_module_from_file(struct file *file) | 823 | int security_kernel_module_from_file(struct file *file) |
| 824 | { | 824 | { |
| 825 | return security_ops->kernel_module_from_file(file); | 825 | int ret; |
| 826 | |||
| 827 | ret = security_ops->kernel_module_from_file(file); | ||
| 828 | if (ret) | ||
| 829 | return ret; | ||
| 830 | return ima_module_check(file); | ||
| 826 | } | 831 | } |
| 827 | 832 | ||
| 828 | int security_task_fix_setuid(struct cred *new, const struct cred *old, | 833 | int security_task_fix_setuid(struct cred *new, const struct cred *old, |