From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: zohar@linux.vnet.ibm.com, dhowells@redhat.com, jmorris@namei.org
Cc: roberto.sassu@polito.it, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Dmitry Kasatkin <d.kasatkin@samsung.com>
Subject: [PATCH 15/20] ima: path based policy loading interface
Date: Wed, 23 Apr 2014 16:30:33 +0300 [thread overview]
Message-ID: <0f525fc369d224f149dec6606467109c9cd7e735.1398259638.git.d.kasatkin@samsung.com> (raw)
In-Reply-To: <cover.1398259638.git.d.kasatkin@samsung.com>
In-Reply-To: <cover.1398259638.git.d.kasatkin@samsung.com>
Currently policy is loaded by writing policy content to
'<securityfs>/ima/policy' file.
This patch extends policy loading meachanism with possibility
to load signed policy using a path to the policy.
Policy signature must be available in the <policy>.sig file.
Policy can be loaded like:
echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
---
security/integrity/ima/Kconfig | 13 +++++++
security/integrity/ima/ima.h | 9 +++++
security/integrity/ima/ima_fs.c | 2 +-
security/integrity/ima/ima_policy.c | 74 +++++++++++++++++++++++++++++++++++++
4 files changed, 97 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 5474c47..465cef4 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -140,3 +140,16 @@ config IMA_LOAD_X509
help
This option enables X509 certificate loading from the kernel
to the '_ima' trusted keyring.
+
+config IMA_POLICY_LOADER
+ bool "Path based policy loading interface"
+ depends on IMA_TRUSTED_KEYRING
+ default n
+ help
+ This option enables path based signed policy loading interface.
+ Policy signature must be provided in the <policy>.sig file
+ along with the policy. When this option is enabled, kernel
+ tries to load default policy from /etc/ima_policy.
+
+ Loading policy is like:
+ echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 3b90b60..f2722bb 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -170,6 +170,15 @@ bool ima_default_policy(void);
ssize_t ima_parse_add_rule(char *);
void ima_delete_rules(void);
+#ifdef CONFIG_IMA_POLICY_LOADER
+ssize_t ima_read_policy(char *path);
+#else
+static inline ssize_t ima_read_policy(char *data)
+{
+ return ima_parse_add_rule(data);
+}
+#endif
+
/* Appraise integrity measurements */
#define IMA_APPRAISE_ENFORCE 0x01
#define IMA_APPRAISE_FIX 0x02
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 34ae5f2..bde7a0e 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -273,7 +273,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
if (copy_from_user(data, buf, datalen))
goto out;
- result = ima_parse_add_rule(data);
+ result = ima_read_policy(data);
out:
if (result < 0)
valid_policy = 0;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index b24e7d1..c6da801 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -17,6 +17,9 @@
#include <linux/parser.h>
#include <linux/slab.h>
#include <linux/genhd.h>
+#ifdef CONFIG_IMA_POLICY_LOADER
+#include <linux/file.h>
+#endif
#include "ima.h"
@@ -747,3 +750,74 @@ void ima_delete_rules(void)
}
mutex_unlock(&ima_rules_mutex);
}
+
+#ifdef CONFIG_IMA_POLICY_LOADER
+
+ssize_t ima_read_policy(char *path)
+{
+ char *data, *datap, *sig;
+ int rc, psize, pathlen = strlen(path);
+ char *p, *sigpath;
+ struct {
+ struct ima_digest_data hdr;
+ char digest[IMA_MAX_DIGEST_SIZE];
+ } hash;
+
+ if (path[0] != '/')
+ return ima_parse_add_rule(path);
+
+ /* remove \n */
+ datap = path;
+ strsep(&datap, "\n");
+
+ /* we always want signature? */
+ sigpath = __getname();
+ if (!sigpath)
+ return -ENOMEM;
+
+ rc = integrity_read_file(path, &data);
+ if (rc < 0)
+ goto free_path;
+
+ psize = rc;
+ datap = data;
+
+ sprintf(sigpath, "%s.sig", path);
+ /* we always want signature? */
+ rc = integrity_read_file(sigpath, &sig);
+ if (rc < 0)
+ goto free_data;
+
+ hash.hdr.algo = ima_hash_algo;
+ ima_get_hash_algo((void *)sig, rc, &hash.hdr);
+ ima_calc_buffer_hash(data, psize, &hash.hdr);
+ rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
+ (const char *)sig, rc,
+ hash.hdr.digest, hash.hdr.length);
+ if (rc) {
+ pr_err("integrity_digsig_verify() = %d\n", rc);
+ goto free_sig;
+ }
+
+ while (psize > 0 && (p = strsep(&datap, "\n"))) {
+ pr_debug("rule: %s\n", p);
+ rc = ima_parse_add_rule(p);
+ if (rc < 0)
+ break;
+ psize -= rc;
+ }
+free_sig:
+ kfree(sig);
+free_data:
+ kfree(data);
+free_path:
+ __putname(sigpath);
+ if (rc < 0)
+ return rc;
+ else if (psize)
+ return -EINVAL;
+ else
+ return pathlen;
+}
+
+#endif
--
1.8.3.2
next prev parent reply other threads:[~2014-04-23 13:42 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-23 13:30 [PATCH 00/20] in-kernel IMA/EVM initialization Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 01/20] KEYS: verify a certificate is signed by a 'trusted' key Dmitry Kasatkin
2014-04-24 16:53 ` Mimi Zohar
2014-04-24 20:07 ` Dmitry Kasatkin
2014-04-24 21:03 ` Mimi Zohar
2014-04-23 13:30 ` [PATCH 02/20] integrity: initialize EVM before IMA Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 03/20] ima: move asymmetric keys config option Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 04/20] integrity: move integrity subsystem options to a separate menu Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 05/20] integrity: provide builtin 'trusted' keyrings Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 06/20] ima: create '_ima' as a builtin 'trusted' keyring Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 07/20] integrity: provide x509 certificate loading from the kernel Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 08/20] ima: load x509 certificate " Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 09/20] evm: create '_evm' as a builtin 'trusted' keyring Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 10/20] evm: load x509 certificate from the kernel Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 11/20] ima: added kernel parameter for disabling IMA Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 12/20] ima: provide buffer hash calculation function Dmitry Kasatkin
2014-04-24 21:04 ` Mimi Zohar
2014-04-25 14:52 ` Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 13/20] ima: replace opencount with bitop Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 14/20] ima: check if policy was set at open Dmitry Kasatkin
2014-04-23 13:30 ` Dmitry Kasatkin [this message]
2014-04-24 21:03 ` [PATCH 15/20] ima: path based policy loading interface Mimi Zohar
2014-04-25 15:18 ` Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 16/20] ima: load policy from the kernel Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 17/20] ima: make IMA policy replaceable at runtime Dmitry Kasatkin
2014-05-14 23:45 ` Mimi Zohar
2014-05-15 6:08 ` Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 18/20] evm: added kernel parameter for disabling EVM Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 19/20] evm: try enable EVM from the kernel Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 20/20] evm: read EVM key " Dmitry Kasatkin
2014-04-24 18:44 ` [PATCH 00/20] in-kernel IMA/EVM initialization Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f525fc369d224f149dec6606467109c9cd7e735.1398259638.git.d.kasatkin@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@polito.it \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).