| Message ID | 20220420140633.753772-13-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Namespace IMA with audit support in IMA-ns | expand |
On Wed, Apr 20, 2022 at 10:06:19AM -0400, Stefan Berger wrote: > Only accept AUDIT rules for non-init_ima_ns namespaces for now. Reject This sentence gives me trouble - i keep thinking you mean that you'll reject AUDIT rules for init_ima_ns :) Can you rephrase it as something like For non-init_ima_ns namespaces, only accept AUDIT rules for now. :) > all rules that require support for measuring, appraisal, and hashing. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > Acked-by: Christian Brauner <brauner@kernel.org> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > --- > v9: > - Jump to err_audit when unsupported rules are detected > --- > security/integrity/ima/ima_policy.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 59e4ae5a6361..45a997709200 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -1812,6 +1812,17 @@ static int ima_parse_rule(struct ima_namespace *ns, > result = -EINVAL; > break; > } > + > + /* IMA namespace only accepts AUDIT rules */ > + if (ns != &init_ima_ns && result == 0) { > + switch (entry->action) { > + case MEASURE: > + case APPRAISE: > + case HASH: So... what about DONT_MEASURE and DONT_APPRAISE? > + result = -EINVAL; > + goto err_audit; > + } > + } > } > if (!result && !ima_validate_rule(entry)) > result = -EINVAL; > @@ -1824,6 +1835,7 @@ static int ima_parse_rule(struct ima_namespace *ns, > check_template_modsig(template_desc); > } > > +err_audit: > audit_log_format(ab, "res=%d", !result); > audit_log_end(ab); > return result; > -- > 2.34.1
On 5/22/22 13:38, Serge E. Hallyn wrote: > On Wed, Apr 20, 2022 at 10:06:19AM -0400, Stefan Berger wrote: >> Only accept AUDIT rules for non-init_ima_ns namespaces for now. Reject > > This sentence gives me trouble - i keep thinking you mean that you'll > reject AUDIT rules for init_ima_ns :) Can you rephrase it as something > like > > For non-init_ima_ns namespaces, only accept AUDIT rules for now. > > :) > >> all rules that require support for measuring, appraisal, and hashing. > I kept the title of the patch but the text now states: For non-init_ima_ns namespaces, only accept AUDIT rules for now. Reject all rules that require support for measuring, appraisal, and hashing. > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> Acked-by: Christian Brauner <brauner@kernel.org> >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> >> >> --- >> v9: >> - Jump to err_audit when unsupported rules are detected >> --- >> security/integrity/ima/ima_policy.c | 12 ++++++++++++ >> 1 file changed, 12 insertions(+) >> >> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c >> index 59e4ae5a6361..45a997709200 100644 >> --- a/security/integrity/ima/ima_policy.c >> +++ b/security/integrity/ima/ima_policy.c >> @@ -1812,6 +1812,17 @@ static int ima_parse_rule(struct ima_namespace *ns, >> result = -EINVAL; >> break; >> } >> + >> + /* IMA namespace only accepts AUDIT rules */ >> + if (ns != &init_ima_ns && result == 0) { >> + switch (entry->action) { >> + case MEASURE: >> + case APPRAISE: >> + case HASH: > > So... what about DONT_MEASURE and DONT_APPRAISE? They don't cause IMA to do anything that is not supported at this point so I let them pass. If you set these you still don't get a measurements or appraisal and that's good at this point.. > >> + result = -EINVAL; >> + goto err_audit; >> + } >> + } >> } >> if (!result && !ima_validate_rule(entry)) >> result = -EINVAL; >> @@ -1824,6 +1835,7 @@ static int ima_parse_rule(struct ima_namespace *ns, >> check_template_modsig(template_desc); >> } >> >> +err_audit: >> audit_log_format(ab, "res=%d", !result); >> audit_log_end(ab); >> return result; >> -- >> 2.34.1
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 59e4ae5a6361..45a997709200 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1812,6 +1812,17 @@ static int ima_parse_rule(struct ima_namespace *ns, result = -EINVAL; break; } + + /* IMA namespace only accepts AUDIT rules */ + if (ns != &init_ima_ns && result == 0) { + switch (entry->action) { + case MEASURE: + case APPRAISE: + case HASH: + result = -EINVAL; + goto err_audit; + } + } } if (!result && !ima_validate_rule(entry)) result = -EINVAL; @@ -1824,6 +1835,7 @@ static int ima_parse_rule(struct ima_namespace *ns, check_template_modsig(template_desc); } +err_audit: audit_log_format(ab, "res=%d", !result); audit_log_end(ab); return result;