| Message ID | 20200623003236.830149-11-tyhicks@linux.microsoft.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support | expand |
On 2020-06-22 19:32:34, Tyler Hicks wrote: > Use ima_validate_rule() to ensure that the combination of a hook > function and the keyrings conditional is valid and that the keyrings > conditional is not specified without an explicit KEY_CHECK func > conditional. This is a code cleanup and has no user-facing change. > > Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> > --- > security/integrity/ima/ima_policy.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 514baf24d6a5..ae2ec2a9cdb9 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -999,6 +999,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > case KEXEC_KERNEL_CHECK: > case KEXEC_INITRAMFS_CHECK: > case POLICY_CHECK: > + if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | > + IMA_UID | IMA_FOWNER | IMA_FSUUID | > + IMA_INMASK | IMA_EUID | IMA_PCR | > + IMA_FSNAME)) I accidentally left these out: (IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST) I'll add them in v2. Tyler > + return false; > + > break; > case KEXEC_CMDLINE: > if (entry->action & ~(MEASURE | DONT_MEASURE)) > @@ -1026,7 +1032,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > default: > return false; > } > - } > + } else if (entry->flags & IMA_KEYRINGS) > + return false; > > return true; > } > @@ -1208,7 +1215,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > keyrings_len = strlen(args[0].from) + 1; > > if ((entry->keyrings) || > - (entry->func != KEY_CHECK) || > (keyrings_len < 2)) { > result = -EINVAL; > break; > -- > 2.25.1
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > > index 514baf24d6a5..ae2ec2a9cdb9 100644 > > --- a/security/integrity/ima/ima_policy.c > > +++ b/security/integrity/ima/ima_policy.c > > @@ -999,6 +999,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > > case KEXEC_KERNEL_CHECK: > > case KEXEC_INITRAMFS_CHECK: > > case POLICY_CHECK: > > + if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | > > + IMA_UID | IMA_FOWNER | IMA_FSUUID | > > + IMA_INMASK | IMA_EUID | IMA_PCR | > > + IMA_FSNAME)) > > I accidentally left these out: > > (IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST) > > I'll add them in v2. Thanks, I noticed when skimming the patches the first time around. Mimi
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 514baf24d6a5..ae2ec2a9cdb9 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -999,6 +999,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) case KEXEC_KERNEL_CHECK: case KEXEC_INITRAMFS_CHECK: case POLICY_CHECK: + if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | + IMA_UID | IMA_FOWNER | IMA_FSUUID | + IMA_INMASK | IMA_EUID | IMA_PCR | + IMA_FSNAME)) + return false; + break; case KEXEC_CMDLINE: if (entry->action & ~(MEASURE | DONT_MEASURE)) @@ -1026,7 +1032,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) default: return false; } - } + } else if (entry->flags & IMA_KEYRINGS) + return false; return true; } @@ -1208,7 +1215,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) keyrings_len = strlen(args[0].from) + 1; if ((entry->keyrings) || - (entry->func != KEY_CHECK) || (keyrings_len < 2)) { result = -EINVAL; break;
Use ima_validate_rule() to ensure that the combination of a hook function and the keyrings conditional is valid and that the keyrings conditional is not specified without an explicit KEY_CHECK func conditional. This is a code cleanup and has no user-facing change. Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> --- security/integrity/ima/ima_policy.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)