From patchwork Wed Jun 21 18:18:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 9802517 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C0AFA6038C for ; Wed, 21 Jun 2017 18:20:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B244C286DD for ; Wed, 21 Jun 2017 18:20:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 82FB32867C; Wed, 21 Jun 2017 18:20:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 29EE6286B9 for ; Wed, 21 Jun 2017 18:20:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752711AbdFUST7 (ORCPT ); Wed, 21 Jun 2017 14:19:59 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44359 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752155AbdFUSTw (ORCPT ); Wed, 21 Jun 2017 14:19:52 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v5LIIUR0145266 for ; Wed, 21 Jun 2017 14:19:51 -0400 Received: from e23smtp03.au.ibm.com (e23smtp03.au.ibm.com [202.81.31.145]) by mx0a-001b2d01.pphosted.com with ESMTP id 2b7uxfe5hn-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 21 Jun 2017 14:19:51 -0400 Received: from localhost by e23smtp03.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 22 Jun 2017 04:19:49 +1000 Received: from d23relay07.au.ibm.com (202.81.31.226) by e23smtp03.au.ibm.com (202.81.31.209) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 22 Jun 2017 04:19:47 +1000 Received: from d23av05.au.ibm.com (d23av05.au.ibm.com [9.190.234.119]) by d23relay07.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v5LIJcrx5571004; Thu, 22 Jun 2017 04:19:46 +1000 Received: from d23av05.au.ibm.com (localhost [127.0.0.1]) by d23av05.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v5LIJEK7027852; Thu, 22 Jun 2017 04:19:14 +1000 Received: from localhost.localdomain.com ([9.80.97.110]) by d23av05.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id v5LIJ1gV027128; Thu, 22 Jun 2017 04:19:11 +1000 From: Mimi Zohar To: Christoph Hellwig , Al Viro Cc: Mimi Zohar , James Morris , linux-fsdevel@vger.kernel.org, linux-ima-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org Subject: [PATCH v2 03/10] ima: define "dont_failsafe" policy action rule Date: Wed, 21 Jun 2017 14:18:23 -0400 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1498069110-10009-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1498069110-10009-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-MML: disable x-cbid: 17062118-0008-0000-0000-00000144D2EB X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17062118-0009-0000-0000-00000974736F Message-Id: <1498069110-10009-4-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-06-21_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1706210306 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Permit normally denied access/execute permission for files in policy on IMA unsupported filesystems. This patch defines the "dont_failsafe" policy action rule. Mimi Zohar --- Documentation/ABI/testing/ima_policy | 3 ++- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 11 ++++++++++- security/integrity/ima/ima_policy.c | 14 +++++++++++++- 4 files changed, 26 insertions(+), 3 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index e76432b9954d..f271207743e5 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -17,7 +17,8 @@ Description: rule format: action [condition ...] - action: measure | dont_measure | appraise | dont_appraise | audit + action: measure | dont_meaure | appraise | dont_appraise | + audit | dont_failsafe condition:= base | lsm [option] base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] [euid=] [fowner=]] diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index d52b487ad259..c5f34f7c5b0f 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -224,6 +224,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos); void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); void ima_policy_stop(struct seq_file *m, void *v); int ima_policy_show(struct seq_file *m, void *v); +void set_failsafe(bool flag); /* Appraise integrity measurements */ #define IMA_APPRAISE_ENFORCE 0x01 diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 63777d1210b1..59e271a20600 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -38,6 +38,11 @@ int ima_appraise; int ima_hash_algo = HASH_ALGO_SHA1; static int hash_setup_done; +static bool ima_failsafe = 1; +void set_failsafe(bool flag) { + ima_failsafe = flag; +} + static int __init hash_setup(char *str) { struct ima_template_desc *template_desc = ima_template_desc_current(); @@ -263,8 +268,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size, __putname(pathbuf); out: inode_unlock(inode); - if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) + if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { + if (!ima_failsafe && rc == -EBADF) + return 0; + return -EACCES; + } return 0; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index f4436626ccb7..cb92c9c04e80 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -46,6 +46,7 @@ int ima_policy_flag; static int temp_ima_appraise; +static bool temp_failsafe = 1; #define MAX_LSM_RULES 6 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, @@ -513,6 +514,12 @@ void ima_update_policy(void) if (ima_rules != policy) { ima_policy_flag = 0; ima_rules = policy; + + /* + * Only permit initial policy replacement, not append, to + * set dont_failsafe. + */ + set_failsafe(temp_failsafe); } ima_update_policy_flag(); } @@ -529,7 +536,7 @@ enum { Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_permit_directio, - Opt_pcr + Opt_pcr, Opt_dont_failsafe }; static match_table_t policy_tokens = { @@ -560,6 +567,7 @@ static match_table_t policy_tokens = { {Opt_appraise_type, "appraise_type=%s"}, {Opt_permit_directio, "permit_directio"}, {Opt_pcr, "pcr=%s"}, + {Opt_dont_failsafe, "dont_failsafe"}, {Opt_err, NULL} }; @@ -671,6 +679,10 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->action = AUDIT; break; + case Opt_dont_failsafe: + ima_log_string(ab, "action", "dont_failsafe"); + temp_failsafe = 0; + break; case Opt_func: ima_log_string(ab, "func", args[0].from);