From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Mickael Salaun <mic@digikod.net>, Steve Grubb <sgrubb@redhat.com>,
Jann Horn <jannh@google.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] ima: add policy support for identifying file execute mode bit
Date: Wed, 29 Apr 2020 09:38:42 -0400 [thread overview]
Message-ID: <1588167523-7866-2-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1588167523-7866-1-git-send-email-zohar@linux.ibm.com>
Extend the IMA policy language with "mode=IXUGO" to identify files with
the execute mode bit enabled.
Examples:
measure func=FILE_CHECK mode=IXUGO
appraise func=FILE_CHECK appraise_type=imasig mode=IXUGO
Suggested-by: Steve Grubb <sgrubb@redhat.com> (based on execute mode bit)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
Documentation/ABI/testing/ima_policy | 5 +++--
security/integrity/ima/ima_policy.c | 18 ++++++++++++++++--
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index cd572912c593..a12e784cee31 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -20,8 +20,8 @@ Description:
action: measure | dont_measure | appraise | dont_appraise |
audit | hash | dont_hash
condition:= base | lsm [option]
- base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
- [euid=] [fowner=] [fsname=]]
+ base: [[func=] [mask=] [mode=] [fsmagic=] [fsuuid=]
+ [uid=] [euid=] [fowner=] [fsname=]]
lsm: [[subj_user=] [subj_role=] [subj_type=]
[obj_user=] [obj_role=] [obj_type=]]
option: [[appraise_type=]] [template=] [permit_directio]
@@ -32,6 +32,7 @@ Description:
[KEXEC_CMDLINE] [KEY_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
+ mode:= [IXUGO]
fsmagic:= hex value
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
uid:= decimal value
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ef7f68cc935e..28b68e076638 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -33,6 +33,7 @@
#define IMA_PCR 0x0100
#define IMA_FSNAME 0x0200
#define IMA_KEYRINGS 0x0400
+#define IMA_IXUGO 0x0800
#define UNKNOWN 0
#define MEASURE 0x0001 /* same as IMA_MEASURE */
@@ -435,6 +436,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_INMASK) &&
(!(rule->mask & mask) && func != POST_SETATTR))
return false;
+ if ((rule->flags & IMA_IXUGO) && !(inode->i_mode & S_IXUGO))
+ return false;
if ((rule->flags & IMA_FSMAGIC)
&& rule->fsmagic != inode->i_sb->s_magic)
return false;
@@ -459,6 +462,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_FOWNER) &&
!rule->fowner_op(inode->i_uid, rule->fowner))
return false;
+
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
u32 osid;
@@ -822,7 +826,7 @@ enum {
Opt_audit, Opt_hash, Opt_dont_hash,
Opt_obj_user, Opt_obj_role, Opt_obj_type,
Opt_subj_user, Opt_subj_role, Opt_subj_type,
- Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
+ Opt_func, Opt_mask, Opt_mode, Opt_fsmagic, Opt_fsname,
Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
@@ -847,6 +851,7 @@ static const match_table_t policy_tokens = {
{Opt_subj_type, "subj_type=%s"},
{Opt_func, "func=%s"},
{Opt_mask, "mask=%s"},
+ {Opt_mode, "mode=%s"},
{Opt_fsmagic, "fsmagic=%s"},
{Opt_fsname, "fsname=%s"},
{Opt_fsuuid, "fsuuid=%s"},
@@ -1098,6 +1103,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->flags |= (*args[0].from == '^')
? IMA_INMASK : IMA_MASK;
break;
+ case Opt_mode:
+ ima_log_string(ab, "mode", args[0].from);
+ if ((strcmp(args[0].from, "IXUGO")) == 0)
+ entry->flags |= IMA_IXUGO;
+ else
+ result = -EINVAL;
+ break;
case Opt_fsmagic:
ima_log_string(ab, "fsmagic", args[0].from);
@@ -1185,7 +1197,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
uid_token = (token == Opt_uid_eq) ||
(token == Opt_uid_gt) ||
(token == Opt_uid_lt);
-
ima_log_string_op(ab, uid_token ? "uid" : "euid",
args[0].from, entry->uid_op);
@@ -1522,6 +1533,9 @@ int ima_policy_show(struct seq_file *m, void *v)
seq_puts(m, " ");
}
+ if (entry->flags & IMA_IXUGO)
+ seq_puts(m, "mode=IXUGO ");
+
if (entry->flags & IMA_FSMAGIC) {
snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
seq_printf(m, pt(Opt_fsmagic), tbuf);
--
2.7.5
next prev parent reply other threads:[~2020-04-29 13:39 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-29 13:38 [PATCH 0/2] ima: extending IMA policy to support interpreters Mimi Zohar
2020-04-29 13:38 ` Mimi Zohar [this message]
2020-04-29 17:22 ` [PATCH 1/2] ima: add policy support for identifying file execute mode bit Lakshmi Ramasubramanian
2020-04-29 13:38 ` [PATCH 2/2] ima: add policy support for the new file open MAY_OPENEXEC flag Mimi Zohar
2020-04-29 17:22 ` Lakshmi Ramasubramanian
2020-04-29 21:24 ` kbuild test robot
2020-04-29 21:24 ` kbuild test robot
2020-04-30 13:42 ` Mimi Zohar
2020-04-30 14:26 ` Mickaël Salaün
2020-04-30 14:26 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1588167523-7866-2-git-send-email-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=jannh@google.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.