From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from e28smtp07.in.ibm.com ([125.16.236.7]:46524 "EHLO e28smtp07.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753464AbcBHVMf (ORCPT ); Mon, 8 Feb 2016 16:12:35 -0500 Received: from localhost by e28smtp07.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 9 Feb 2016 02:42:32 +0530 Message-ID: <1454965936.3037.34.camel@linux.vnet.ibm.com> Subject: Re: [PATCH v3 20/22] ima: load policy using path From: Mimi Zohar To: Dmitry Kasatkin Cc: Petko Manolov , "linux-security-module@vger.kernel.org" , "Luis R. Rodriguez" , "kexec@lists.infradead.org" , "linux-modules@vger.kernel.org" , "fsdevel@vger.kernel.org" , David Howells , David Woodhouse , Kees Cook , Dmitry Torokhov , Dmitry Kasatkin , Eric Biederman , Rusty Russell , Dmitry Kasatkin Date: Mon, 08 Feb 2016 16:12:16 -0500 In-Reply-To: References: <1454526390-19792-1-git-send-email-zohar@linux.vnet.ibm.com> <1454526390-19792-21-git-send-email-zohar@linux.vnet.ibm.com> <20160207195945.GG17321@localhost> ,<20160208103505.GA7931@bender.nucleusys.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Sender: owner-linux-modules@vger.kernel.org List-ID: On Mon, 2016-02-08 at 10:45 +0000, Dmitry Kasatkin wrote: > > > @@ -286,9 +322,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, > > > result = mutex_lock_interruptible(&ima_write_mutex); > > > if (result < 0) > > > goto out_free; > > > - result = ima_parse_add_rule(data); > > > - mutex_unlock(&ima_write_mutex); > > > > > > + if (data[0] == '/') > > > > >It seems that if we feed relative path to ima_policy the update will fail... > > > > Yes, i think it is always a good idea to pass absolute path. > > What if we at least emit a warning so people know what's wrong? The next patch "ima: measure and appraise the IMA policy itself" adds the following. Is a failure message enough? + else if (ima_appraise & IMA_APPRAISE_POLICY) { + pr_err("IMA: signed policy required\n"); + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, + "policy_update", "signed policy required", + 1, 0); + if (ima_appraise & IMA_APPRAISE_ENFORCE) + result = -EACCES; + } else result = ima_parse_add_rule(data); > > Petko > > DK: May be a good idea to print that loading policy by path or not. Are we including the pathname? Are you suggesting a log or audit message? Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from e28smtp06.in.ibm.com ([125.16.236.6]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1aSt7A-0005oI-PE for kexec@lists.infradead.org; Mon, 08 Feb 2016 21:12:57 +0000 Received: from localhost by e28smtp06.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 9 Feb 2016 02:42:30 +0530 Received: from d28av02.in.ibm.com (d28av02.in.ibm.com [9.184.220.64]) by d28relay04.in.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u18LCNqF18350434 for ; Tue, 9 Feb 2016 02:42:24 +0530 Received: from d28av02.in.ibm.com (localhost [127.0.0.1]) by d28av02.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u18LCNu6018568 for ; Tue, 9 Feb 2016 02:42:26 +0530 Message-ID: <1454965936.3037.34.camel@linux.vnet.ibm.com> Subject: Re: [PATCH v3 20/22] ima: load policy using path From: Mimi Zohar Date: Mon, 08 Feb 2016 16:12:16 -0500 In-Reply-To: References: <1454526390-19792-1-git-send-email-zohar@linux.vnet.ibm.com> <1454526390-19792-21-git-send-email-zohar@linux.vnet.ibm.com> <20160207195945.GG17321@localhost> ,<20160208103505.GA7931@bender.nucleusys.com> Mime-Version: 1.0 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Dmitry Kasatkin Cc: Rusty Russell , Petko Manolov , Kees Cook , "fsdevel@vger.kernel.org" , Dmitry Kasatkin , "Luis R. Rodriguez" , Dmitry Torokhov , "kexec@lists.infradead.org" , David Howells , "linux-security-module@vger.kernel.org" , Eric Biederman , Dmitry Kasatkin , David Woodhouse , "linux-modules@vger.kernel.org" On Mon, 2016-02-08 at 10:45 +0000, Dmitry Kasatkin wrote: > > > @@ -286,9 +322,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, > > > result = mutex_lock_interruptible(&ima_write_mutex); > > > if (result < 0) > > > goto out_free; > > > - result = ima_parse_add_rule(data); > > > - mutex_unlock(&ima_write_mutex); > > > > > > + if (data[0] == '/') > > > > >It seems that if we feed relative path to ima_policy the update will fail... > > > > Yes, i think it is always a good idea to pass absolute path. > > What if we at least emit a warning so people know what's wrong? The next patch "ima: measure and appraise the IMA policy itself" adds the following. Is a failure message enough? + else if (ima_appraise & IMA_APPRAISE_POLICY) { + pr_err("IMA: signed policy required\n"); + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, + "policy_update", "signed policy required", + 1, 0); + if (ima_appraise & IMA_APPRAISE_ENFORCE) + result = -EACCES; + } else result = ima_parse_add_rule(data); > > Petko > > DK: May be a good idea to print that loading policy by path or not. Are we including the pathname? Are you suggesting a log or audit message? Mimi _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec