lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <558a8e9da9e9ca542a484cd14de82896028a6f6e.1398259638.git.d.kasatkin@samsung.com>
Date:	Wed, 23 Apr 2014 16:30:34 +0300
From:	Dmitry Kasatkin <d.kasatkin@...sung.com>
To:	zohar@...ux.vnet.ibm.com, dhowells@...hat.com, jmorris@...ei.org
Cc:	roberto.sassu@...ito.it, linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Dmitry Kasatkin <d.kasatkin@...sung.com>
Subject: [PATCH 16/20] ima: load policy from the kernel

This patch provide IMA policy loading from the kernel.
When CONFIG_IMA_KERNEL_POLICY is enabled, kernel tries
to load default /etc/ima_policy. Policy signature must
be located in /etc/ima_policy.sig.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@...sung.com>
---
 security/integrity/ima/Kconfig    |  7 +++++++
 security/integrity/ima/ima.h      |  8 ++++++++
 security/integrity/ima/ima_fs.c   | 18 +++++++++++++++++-
 security/integrity/ima/ima_init.c |  1 +
 4 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 465cef4..b00044f 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -153,3 +153,10 @@ config IMA_POLICY_LOADER
 
 	  Loading policy is like:
 	  echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
+
+config IMA_KERNEL_POLICY
+	bool "Load IMA policy from the kernel"
+	depends on IMA_POLICY_LOADER
+	default n
+	help
+	  This option enables IMA policy loading from the kernel.
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index f2722bb..3727cf7 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -179,6 +179,14 @@ static inline ssize_t ima_read_policy(char *data)
 }
 #endif
 
+#ifdef CONFIG_IMA_KERNEL_POLICY
+void ima_load_policy(char *path);
+#else
+static inline void ima_load_policy(char *path)
+{
+}
+#endif
+
 /* Appraise integrity measurements */
 #define IMA_APPRAISE_ENFORCE	0x01
 #define IMA_APPRAISE_FIX	0x02
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index bde7a0e..d050a5c 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -319,7 +319,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)
  * point to the new policy rules, and remove the securityfs policy file,
  * assuming a valid policy.
  */
-static int ima_release_policy(struct inode *inode, struct file *file)
+static void ima_check_policy(void)
 {
 	if (!valid_policy) {
 		ima_delete_rules();
@@ -328,6 +328,11 @@ static int ima_release_policy(struct inode *inode, struct file *file)
 		ima_update_policy();
 	}
 	clear_bit(IMA_FS_BUSY, &ima_fs_flags);
+}
+
+static int ima_release_policy(struct inode *inode, struct file *file)
+{
+	ima_check_policy();
 	return 0;
 }
 
@@ -338,6 +343,17 @@ static const struct file_operations ima_measure_policy_ops = {
 	.llseek = generic_file_llseek,
 };
 
+#ifdef CONFIG_IMA_KERNEL_POLICY
+void __init ima_load_policy(char *path)
+{
+	if (test_and_set_bit(IMA_FS_BUSY, &ima_fs_flags))
+		return;
+	if (ima_read_policy(path) < 0)
+		valid_policy = 0;
+	ima_check_policy();
+}
+#endif
+
 int __init ima_fs_init(void)
 {
 	ima_dir = securityfs_create_dir("ima", NULL);
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index c13d6a8..d1a6483 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -109,6 +109,7 @@ int __init ima_init(void)
 	ima_init_policy();
 	integrity_init_keyring(INTEGRITY_KEYRING_IMA);
 	integrity_load_x509(INTEGRITY_KEYRING_IMA, "/etc/keys/x509_ima.der");
+	ima_load_policy("/etc/ima_policy");
 
 	return ima_fs_init();
 }
-- 
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ