diff options
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 48 |
1 files changed, 34 insertions, 14 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index b5291ad5ef56..e1278399b345 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -45,24 +45,30 @@ struct ima_measure_rule_entry { | |||
| 45 | } lsm[MAX_LSM_RULES]; | 45 | } lsm[MAX_LSM_RULES]; |
| 46 | }; | 46 | }; |
| 47 | 47 | ||
| 48 | /* Without LSM specific knowledge, the default policy can only be | 48 | /* |
| 49 | * Without LSM specific knowledge, the default policy can only be | ||
| 49 | * written in terms of .action, .func, .mask, .fsmagic, and .uid | 50 | * written in terms of .action, .func, .mask, .fsmagic, and .uid |
| 50 | */ | 51 | */ |
| 52 | |||
| 53 | /* | ||
| 54 | * The minimum rule set to allow for full TCB coverage. Measures all files | ||
| 55 | * opened or mmap for exec and everything read by root. Dangerous because | ||
| 56 | * normal users can easily run the machine out of memory simply building | ||
| 57 | * and running executables. | ||
| 58 | */ | ||
| 51 | static struct ima_measure_rule_entry default_rules[] = { | 59 | static struct ima_measure_rule_entry default_rules[] = { |
| 52 | {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC, | 60 | {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC}, |
| 53 | .flags = IMA_FSMAGIC}, | ||
| 54 | {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, | 61 | {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, |
| 55 | {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, | 62 | {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, |
| 56 | {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, | 63 | {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, |
| 57 | {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC, | 64 | {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, |
| 58 | .flags = IMA_FSMAGIC}, | 65 | {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC}, |
| 59 | {.action = DONT_MEASURE,.fsmagic = 0xF97CFF8C,.flags = IMA_FSMAGIC}, | ||
| 60 | {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC, | 66 | {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC, |
| 61 | .flags = IMA_FUNC | IMA_MASK}, | 67 | .flags = IMA_FUNC | IMA_MASK}, |
| 62 | {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, | 68 | {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, |
| 63 | .flags = IMA_FUNC | IMA_MASK}, | 69 | .flags = IMA_FUNC | IMA_MASK}, |
| 64 | {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0, | 70 | {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0, |
| 65 | .flags = IMA_FUNC | IMA_MASK | IMA_UID} | 71 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, |
| 66 | }; | 72 | }; |
| 67 | 73 | ||
| 68 | static LIST_HEAD(measure_default_rules); | 74 | static LIST_HEAD(measure_default_rules); |
| @@ -71,6 +77,14 @@ static struct list_head *ima_measure; | |||
| 71 | 77 | ||
| 72 | static DEFINE_MUTEX(ima_measure_mutex); | 78 | static DEFINE_MUTEX(ima_measure_mutex); |
| 73 | 79 | ||
| 80 | static bool ima_use_tcb __initdata; | ||
| 81 | static int __init default_policy_setup(char *str) | ||
| 82 | { | ||
| 83 | ima_use_tcb = 1; | ||
| 84 | return 1; | ||
| 85 | } | ||
| 86 | __setup("ima_tcb", default_policy_setup); | ||
| 87 | |||
| 74 | /** | 88 | /** |
| 75 | * ima_match_rules - determine whether an inode matches the measure rule. | 89 | * ima_match_rules - determine whether an inode matches the measure rule. |
| 76 | * @rule: a pointer to a rule | 90 | * @rule: a pointer to a rule |
| @@ -96,7 +110,7 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule, | |||
| 96 | if ((rule->flags & IMA_UID) && rule->uid != tsk->cred->uid) | 110 | if ((rule->flags & IMA_UID) && rule->uid != tsk->cred->uid) |
| 97 | return false; | 111 | return false; |
| 98 | for (i = 0; i < MAX_LSM_RULES; i++) { | 112 | for (i = 0; i < MAX_LSM_RULES; i++) { |
| 99 | int rc; | 113 | int rc = 0; |
| 100 | u32 osid, sid; | 114 | u32 osid, sid; |
| 101 | 115 | ||
| 102 | if (!rule->lsm[i].rule) | 116 | if (!rule->lsm[i].rule) |
| @@ -109,7 +123,7 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule, | |||
| 109 | security_inode_getsecid(inode, &osid); | 123 | security_inode_getsecid(inode, &osid); |
| 110 | rc = security_filter_rule_match(osid, | 124 | rc = security_filter_rule_match(osid, |
| 111 | rule->lsm[i].type, | 125 | rule->lsm[i].type, |
| 112 | AUDIT_EQUAL, | 126 | Audit_equal, |
| 113 | rule->lsm[i].rule, | 127 | rule->lsm[i].rule, |
| 114 | NULL); | 128 | NULL); |
| 115 | break; | 129 | break; |
| @@ -119,7 +133,7 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule, | |||
| 119 | security_task_getsecid(tsk, &sid); | 133 | security_task_getsecid(tsk, &sid); |
| 120 | rc = security_filter_rule_match(sid, | 134 | rc = security_filter_rule_match(sid, |
| 121 | rule->lsm[i].type, | 135 | rule->lsm[i].type, |
| 122 | AUDIT_EQUAL, | 136 | Audit_equal, |
| 123 | rule->lsm[i].rule, | 137 | rule->lsm[i].rule, |
| 124 | NULL); | 138 | NULL); |
| 125 | default: | 139 | default: |
| @@ -164,11 +178,17 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask) | |||
| 164 | * ima_measure points to either the measure_default_rules or the | 178 | * ima_measure points to either the measure_default_rules or the |
| 165 | * the new measure_policy_rules. | 179 | * the new measure_policy_rules. |
| 166 | */ | 180 | */ |
| 167 | void ima_init_policy(void) | 181 | void __init ima_init_policy(void) |
| 168 | { | 182 | { |
| 169 | int i; | 183 | int i, entries; |
| 184 | |||
| 185 | /* if !ima_use_tcb set entries = 0 so we load NO default rules */ | ||
| 186 | if (ima_use_tcb) | ||
| 187 | entries = ARRAY_SIZE(default_rules); | ||
| 188 | else | ||
| 189 | entries = 0; | ||
| 170 | 190 | ||
| 171 | for (i = 0; i < ARRAY_SIZE(default_rules); i++) | 191 | for (i = 0; i < entries; i++) |
| 172 | list_add_tail(&default_rules[i].list, &measure_default_rules); | 192 | list_add_tail(&default_rules[i].list, &measure_default_rules); |
| 173 | ima_measure = &measure_default_rules; | 193 | ima_measure = &measure_default_rules; |
| 174 | } | 194 | } |
| @@ -227,7 +247,7 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, | |||
| 227 | 247 | ||
| 228 | entry->lsm[lsm_rule].type = audit_type; | 248 | entry->lsm[lsm_rule].type = audit_type; |
| 229 | result = security_filter_rule_init(entry->lsm[lsm_rule].type, | 249 | result = security_filter_rule_init(entry->lsm[lsm_rule].type, |
| 230 | AUDIT_EQUAL, args, | 250 | Audit_equal, args, |
| 231 | &entry->lsm[lsm_rule].rule); | 251 | &entry->lsm[lsm_rule].rule); |
| 232 | return result; | 252 | return result; |
| 233 | } | 253 | } |