From patchwork Tue Feb 26 21:50:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10830859 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E03FF1390 for ; Tue, 26 Feb 2019 21:50:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CF8982CBDF for ; Tue, 26 Feb 2019 21:50:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C3A522D2EB; Tue, 26 Feb 2019 21:50:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 593F52CBDF for ; Tue, 26 Feb 2019 21:50:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729115AbfBZVuq (ORCPT ); Tue, 26 Feb 2019 16:50:46 -0500 Received: from mail-pl1-f202.google.com ([209.85.214.202]:48575 "EHLO mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728766AbfBZVuq (ORCPT ); Tue, 26 Feb 2019 16:50:46 -0500 Received: by mail-pl1-f202.google.com with SMTP id j13so10778494pll.15 for ; Tue, 26 Feb 2019 13:50:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=W4AQdO0YXdQStwIqEW9eH2qaknX9pHyjHHTGGLf92pQ=; b=vt7cHQgg0rmQthW6SACNWMPRAQHMlenslKOWDe+rCF7ovBql5MKsW7NDuE3vKU1lAY YgTfFGDnN1aDKXT+Quj45t3cxjZXNE2N7wJ6DNc9Gw4cVSsZE7S79IJAtmB2daYZEu6r 0VV31zdh7/ZI8gSPu5MkX0FpWOuJzgL4NKFDoe3lG6uviBJ89deXswmo/zfbA6QmP6dX +QCuJw6JbSylCUho/LFj4AlkI13ZQ0eORzVqZgYCQuc2COnAyBrgFpZRKplFmg6H1CpD vLbYB89Gt8oB6FB0Jro3fvr/o7IJa79LaX6ezXdOvkEZc3vIML9U+zm1uP25EIvrjlzn yLeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=W4AQdO0YXdQStwIqEW9eH2qaknX9pHyjHHTGGLf92pQ=; b=oOKtGhvxJTYUkQyoy7d044pYcVWtNSOR4ueKoKSX7Eo+14WVDMUgFv0+kjLq6/6wfq WQcgXQ4IZsbjT+dl8wawqPy02LnIKiygluI2g8AKrcJZMMCx/M6lWxGtBSd0gcqPnPw4 SQ6zWPxdJ1i2v1T/niVTrR/Eyi74zVP08q473XBOFuuWVzkCC/mXnT/rww2w22xPFueA 46vDTeym2Ze4AG6iFue0SYpbh6kO+MZblQ6dKPAR0edA3f5tT91uiP+PCL7Mf2B3rhLC nw7Z5Eg6ptkt3b/0s0u8JR+95HydYTy9WwDX6PNvAbljmMD+dO4AqBHVJ7vDLdCdVCKf sfvw== X-Gm-Message-State: AHQUAuZAOgSgefO0YoDEjFDlHAdlxJsMYieW3PZcals/kcOdbMZgRpM4 AT8NoiJI9I+vamOqDk0bME89Vq6Py4MkKkkCMQ9chg== X-Google-Smtp-Source: AHgI3IaguCd7CY+7KWQ8nxFIpRyRlWuQzJc7ZhQT5iZ+vP9IIupuw7K+BsVRCfqS19h76cryylU84wUOHiBc6Oh8MU/VpA== X-Received: by 2002:a62:488c:: with SMTP id q12mr2672853pfi.92.1551217845940; Tue, 26 Feb 2019 13:50:45 -0800 (PST) Date: Tue, 26 Feb 2019 13:50:32 -0800 In-Reply-To: <20190226215034.68772-1-matthewgarrett@google.com> Message-Id: <20190226215034.68772-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190226215034.68772-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.rc2.261.ga7da99ff1b-goog Subject: [PATCH V2 2/4] IMA: Allow rule matching on filesystem subtype From: Matthew Garrett To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, linux-fsdevel@vger.kernel.org, miklos@szeredi.hu, Matthew Garrett , Matthew Garrett Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP IMA currently allows rules to match on the filesystem type. Certain filesystem types permit subtypes (eg, fuse). Add support to IMA to allow rules to match on subtypes as well as types. Signed-off-by: Matthew Garrett --- Documentation/ABI/testing/ima_policy | 4 +++- security/integrity/ima/ima_policy.c | 26 +++++++++++++++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 74c6702de74e..09a5def7e28a 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -21,7 +21,7 @@ Description: audit | hash | dont_hash condition:= base | lsm [option] base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] - [euid=] [fowner=] [fsname=]] + [euid=] [fowner=] [fsname=] [subtype=]] lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] option: [[appraise_type=]] [permit_directio] @@ -33,6 +33,8 @@ Description: [[^]MAY_EXEC] fsmagic:= hex value fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) + fsname:= file system type (e.g fuse) + subtype:= file system subtype (e.g ntfs3g) uid:= decimal value euid:= decimal value fowner:= decimal value diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8bc8a1c8cb3f..dcecb6aae5ec 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -35,6 +35,7 @@ #define IMA_EUID 0x0080 #define IMA_PCR 0x0100 #define IMA_FSNAME 0x0200 +#define IMA_SUBTYPE 0x0400 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -80,6 +81,7 @@ struct ima_rule_entry { int type; /* audit type */ } lsm[MAX_LSM_RULES]; char *fsname; + char *subtype; }; /* @@ -306,6 +308,10 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, if ((rule->flags & IMA_FSNAME) && strcmp(rule->fsname, inode->i_sb->s_type->name)) return false; + if ((rule->flags & IMA_SUBTYPE) + && (inode->i_sb->s_subtype == NULL || + strcmp(rule->subtype, inode->i_sb->s_subtype))) + return false; if ((rule->flags & IMA_FSUUID) && !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) return false; @@ -672,7 +678,7 @@ enum { Opt_audit, Opt_hash, Opt_dont_hash, Opt_obj_user, Opt_obj_role, Opt_obj_type, Opt_subj_user, Opt_subj_role, Opt_subj_type, - Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, + Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_subtype, Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, @@ -698,6 +704,7 @@ static const match_table_t policy_tokens = { {Opt_mask, "mask=%s"}, {Opt_fsmagic, "fsmagic=%s"}, {Opt_fsname, "fsname=%s"}, + {Opt_subtype, "subtype=%s"}, {Opt_fsuuid, "fsuuid=%s"}, {Opt_uid_eq, "uid=%s"}, {Opt_euid_eq, "euid=%s"}, @@ -923,6 +930,17 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) result = 0; entry->flags |= IMA_FSNAME; break; + case Opt_subtype: + ima_log_string(ab, "subtype", args[0].from); + + entry->subtype = kstrdup(args[0].from, GFP_KERNEL); + if (!entry->subtype) { + result = -ENOMEM; + break; + } + result = 0; + entry->flags |= IMA_SUBTYPE; + break; case Opt_fsuuid: ima_log_string(ab, "fsuuid", args[0].from); @@ -1254,6 +1272,12 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, " "); } + if (entry->flags & IMA_SUBTYPE) { + snprintf(tbuf, sizeof(tbuf), "%s", entry->subtype); + seq_printf(m, pt(Opt_subtype), tbuf); + seq_puts(m, " "); + } + if (entry->flags & IMA_PCR) { snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); seq_printf(m, pt(Opt_pcr), tbuf);