Message ID | 20200923192011.5293-3-tusharsu@linux.microsoft.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | IMA: Infrastructure for measurement of critical kernel data | expand |
Hi Tushar, On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote: > ima_match_rule_data() permits the func to pass empty func_data. > For instance, for the following func, the func_data keyrings= is > optional. > measure func=KEY_CHECK keyrings=.ima > > But a new func in future may want to constrain the func_data to > be non-empty. ima_match_rule_data() should support this constraint > and it shouldn't be hard-coded in ima_match_rule_data(). > > Update ima_match_rule_data() to conditionally allow empty func_data > for the func that needs it. > > Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> Policy rules may constrain what is measured, but that decision should be left to the system owner or admin. Mimi
On 2020-10-22 1:38 p.m., Mimi Zohar wrote: > Hi Tushar, > > On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote: >> ima_match_rule_data() permits the func to pass empty func_data. >> For instance, for the following func, the func_data keyrings= is >> optional. >> measure func=KEY_CHECK keyrings=.ima >> >> But a new func in future may want to constrain the func_data to >> be non-empty. ima_match_rule_data() should support this constraint >> and it shouldn't be hard-coded in ima_match_rule_data(). >> >> Update ima_match_rule_data() to conditionally allow empty func_data >> for the func that needs it. >> >> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> > > Policy rules may constrain what is measured, but that decision should > be left to the system owner or admin. > > Mimi > Agreed. As you mentioned in the patch 5/6 of this series, I will get rid of this patch. ~Tushar
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 31a772d8a86b..8866e84d0062 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -456,6 +456,7 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, * @rule: IMA policy rule * @opt_list: rule data to match func_data against * @func_data: data to match against the measure rule data + * @allow_empty_opt_list: If true matches all func_data * @cred: a pointer to a credentials structure for user validation * * Returns true if func_data matches one in the rule, false otherwise. @@ -463,6 +464,7 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, static bool ima_match_rule_data(struct ima_rule_entry *rule, const struct ima_rule_opt_list *opt_list, const char *func_data, + bool allow_empty_opt_list, const struct cred *cred) { bool matched = false; @@ -472,7 +474,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, return false; if (!opt_list) - return true; + return allow_empty_opt_list; if (!func_data) return false; @@ -509,7 +511,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, if (func == KEY_CHECK) { return (rule->flags & IMA_FUNC) && (rule->func == func) && ima_match_rule_data(rule, rule->keyrings, func_data, - cred); + true, cred); } if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR))
ima_match_rule_data() permits the func to pass empty func_data. For instance, for the following func, the func_data keyrings= is optional. measure func=KEY_CHECK keyrings=.ima But a new func in future may want to constrain the func_data to be non-empty. ima_match_rule_data() should support this constraint and it shouldn't be hard-coded in ima_match_rule_data(). Update ima_match_rule_data() to conditionally allow empty func_data for the func that needs it. Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> --- security/integrity/ima/ima_policy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)