From: Nayna Jain <nayna@linux.vnet.ibm.com> To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com, Nayna Jain <nayna@linux.vnet.ibm.com> Subject: [PATCH v2 5/6] ima: add support for external setting of ima_appraise Date: Fri, 14 Sep 2018 13:30:04 +0530 [thread overview] Message-ID: <20180914080005.6138-6-nayna@linux.vnet.ibm.com> (raw) In-Reply-To: <20180914080005.6138-1-nayna@linux.vnet.ibm.com> The "ima_appraise" mode defaults to enforcing, unless configured to allow the boot command line "ima_appraise" option. This patch explicitly sets the "ima_appraise" mode for the arch specific policy setting. Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> --- security/integrity/ima/ima.h | 5 +++++ security/integrity/ima/ima_appraise.c | 11 +++++++++-- security/integrity/ima/ima_policy.c | 5 ++++- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 588e4813370c..6e5fa7c42809 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -248,6 +248,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len); int ima_read_xattr(struct dentry *dentry, struct evm_ima_xattr_data **xattr_value); +void set_ima_appraise(char *str); #else static inline int ima_appraise_measurement(enum ima_hooks func, @@ -290,6 +291,10 @@ static inline int ima_read_xattr(struct dentry *dentry, return 0; } +static inline void set_ima_appraise(char *str) +{ +} + #endif /* CONFIG_IMA_APPRAISE */ /* LSM based policy rules require audit */ diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8bd7a0733e51..e061613bcb87 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -18,15 +18,22 @@ #include "ima.h" -static int __init default_appraise_setup(char *str) +void set_ima_appraise(char *str) { -#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM if (strncmp(str, "off", 3) == 0) ima_appraise = 0; else if (strncmp(str, "log", 3) == 0) ima_appraise = IMA_APPRAISE_LOG; else if (strncmp(str, "fix", 3) == 0) ima_appraise = IMA_APPRAISE_FIX; + else if (strncmp(str, "enforce", 7) == 0) + ima_appraise = IMA_APPRAISE_ENFORCE; +} + +static int __init default_appraise_setup(char *str) +{ +#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM + set_ima_appraise(str); #endif return 1; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 23f3aa214016..c574841bcc9a 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -585,9 +585,12 @@ void __init ima_init_policy(void) arch_entries = ima_init_arch_policy(); if (!arch_entries) pr_info("No architecture policies found\n"); - else + else { add_rules(arch_policy_entry, arch_entries, IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); + if (temp_ima_appraise) + set_ima_appraise("enforce"); + } /* * Insert the builtin "secure_boot" policy rules requiring file -- 2.13.6
WARNING: multiple messages have this Message-ID (diff)
From: nayna@linux.vnet.ibm.com (Nayna Jain) To: linux-security-module@vger.kernel.org Subject: [PATCH v2 5/6] ima: add support for external setting of ima_appraise Date: Fri, 14 Sep 2018 13:30:04 +0530 [thread overview] Message-ID: <20180914080005.6138-6-nayna@linux.vnet.ibm.com> (raw) In-Reply-To: <20180914080005.6138-1-nayna@linux.vnet.ibm.com> The "ima_appraise" mode defaults to enforcing, unless configured to allow the boot command line "ima_appraise" option. This patch explicitly sets the "ima_appraise" mode for the arch specific policy setting. Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> --- security/integrity/ima/ima.h | 5 +++++ security/integrity/ima/ima_appraise.c | 11 +++++++++-- security/integrity/ima/ima_policy.c | 5 ++++- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 588e4813370c..6e5fa7c42809 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -248,6 +248,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len); int ima_read_xattr(struct dentry *dentry, struct evm_ima_xattr_data **xattr_value); +void set_ima_appraise(char *str); #else static inline int ima_appraise_measurement(enum ima_hooks func, @@ -290,6 +291,10 @@ static inline int ima_read_xattr(struct dentry *dentry, return 0; } +static inline void set_ima_appraise(char *str) +{ +} + #endif /* CONFIG_IMA_APPRAISE */ /* LSM based policy rules require audit */ diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8bd7a0733e51..e061613bcb87 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -18,15 +18,22 @@ #include "ima.h" -static int __init default_appraise_setup(char *str) +void set_ima_appraise(char *str) { -#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM if (strncmp(str, "off", 3) == 0) ima_appraise = 0; else if (strncmp(str, "log", 3) == 0) ima_appraise = IMA_APPRAISE_LOG; else if (strncmp(str, "fix", 3) == 0) ima_appraise = IMA_APPRAISE_FIX; + else if (strncmp(str, "enforce", 7) == 0) + ima_appraise = IMA_APPRAISE_ENFORCE; +} + +static int __init default_appraise_setup(char *str) +{ +#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM + set_ima_appraise(str); #endif return 1; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 23f3aa214016..c574841bcc9a 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -585,9 +585,12 @@ void __init ima_init_policy(void) arch_entries = ima_init_arch_policy(); if (!arch_entries) pr_info("No architecture policies found\n"); - else + else { add_rules(arch_policy_entry, arch_entries, IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); + if (temp_ima_appraise) + set_ima_appraise("enforce"); + } /* * Insert the builtin "secure_boot" policy rules requiring file -- 2.13.6
next prev parent reply other threads:[~2018-09-14 8:03 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-09-14 7:59 [PATCH v2 0/6] Add support for architecture specific IMA policies Nayna Jain 2018-09-14 7:59 ` Nayna Jain 2018-09-14 8:00 ` [PATCH v2 1/6] ima: define arch_ima_get_secureboot Nayna Jain 2018-09-14 8:00 ` Nayna Jain 2018-09-14 8:00 ` [PATCH v2 2/6] ima: prevent kexec_load syscall based on runtime secureboot flag Nayna Jain 2018-09-14 8:00 ` Nayna Jain 2018-09-14 8:00 ` [PATCH v2 3/6] ima: refactor ima_init_policy() Nayna Jain 2018-09-14 8:00 ` Nayna Jain 2018-09-14 8:00 ` [PATCH v2 4/6] ima: add support for arch specific policies Nayna Jain 2018-09-14 8:00 ` Nayna Jain 2018-09-14 8:00 ` Nayna Jain [this message] 2018-09-14 8:00 ` [PATCH v2 5/6] ima: add support for external setting of ima_appraise Nayna Jain 2018-09-14 8:00 ` [PATCH v2 6/6] x86/ima: define arch_get_ima_policy() for x86 Nayna Jain 2018-09-14 8:00 ` Nayna Jain 2018-09-14 13:50 ` kbuild test robot 2018-09-14 13:50 ` kbuild test robot 2018-09-14 13:50 ` kbuild test robot 2018-09-14 13:50 ` kbuild test robot
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180914080005.6138-6-nayna@linux.vnet.ibm.com \ --to=nayna@linux.vnet.ibm.com \ --cc=dhowells@redhat.com \ --cc=jforbes@redhat.com \ --cc=linux-efi@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.