| Message ID | 20200626223900.253615-7-tyhicks@linux.microsoft.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support | expand |
On 6/26/20 3:38 PM, Tyler Hicks wrote: > The KEY_CHECK function only supports the uid, pcr, and keyrings > conditionals. Make this clear at policy load so that IMA policy authors > don't assume that other conditionals are supported. > > Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") > Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> > --- > > * v2 > - No change > > security/integrity/ima/ima_policy.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 676d5557af1a..f9b1bdb897da 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -1018,6 +1018,13 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > if (entry->action & ~(MEASURE | DONT_MEASURE)) > return false; > > + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | > + IMA_KEYRINGS)) > + return false; > + > + if (ima_rule_contains_lsm_cond(entry)) > + return false; > + > break; > default: > return false; > Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 676d5557af1a..f9b1bdb897da 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1018,6 +1018,13 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) if (entry->action & ~(MEASURE | DONT_MEASURE)) return false; + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | + IMA_KEYRINGS)) + return false; + + if (ima_rule_contains_lsm_cond(entry)) + return false; + break; default: return false;
The KEY_CHECK function only supports the uid, pcr, and keyrings conditionals. Make this clear at policy load so that IMA policy authors don't assume that other conditionals are supported. Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> --- * v2 - No change security/integrity/ima/ima_policy.c | 7 +++++++ 1 file changed, 7 insertions(+)