diff mbox series

[v12,12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now

Message ID 20220420140633.753772-13-stefanb@linux.ibm.com (mailing list archive)
State New, archived
Headers show
Series ima: Namespace IMA with audit support in IMA-ns | expand

Commit Message

Stefan Berger April 20, 2022, 2:06 p.m. UTC
Only accept AUDIT rules for non-init_ima_ns namespaces for now. Reject
all rules that require support for measuring, appraisal, and hashing.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

---
v9:
  - Jump to err_audit when unsupported rules are detected
---
 security/integrity/ima/ima_policy.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Comments

Serge E. Hallyn May 22, 2022, 5:38 p.m. UTC | #1
On Wed, Apr 20, 2022 at 10:06:19AM -0400, Stefan Berger wrote:
> Only accept AUDIT rules for non-init_ima_ns namespaces for now. Reject

This sentence gives me trouble - i keep thinking you mean that you'll
reject AUDIT rules for init_ima_ns :)  Can you rephrase it as something
like

For non-init_ima_ns namespaces, only accept AUDIT rules for now.

:)

> all rules that require support for measuring, appraisal, and hashing.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Acked-by: Christian Brauner <brauner@kernel.org>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> ---
> v9:
>   - Jump to err_audit when unsupported rules are detected
> ---
>  security/integrity/ima/ima_policy.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 59e4ae5a6361..45a997709200 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1812,6 +1812,17 @@ static int ima_parse_rule(struct ima_namespace *ns,
>  			result = -EINVAL;
>  			break;
>  		}
> +
> +		/* IMA namespace only accepts AUDIT rules */
> +		if (ns != &init_ima_ns && result == 0) {
> +			switch (entry->action) {
> +			case MEASURE:
> +			case APPRAISE:
> +			case HASH:

So... what about DONT_MEASURE and DONT_APPRAISE?

> +				result = -EINVAL;
> +				goto err_audit;
> +			}
> +		}
>  	}
>  	if (!result && !ima_validate_rule(entry))
>  		result = -EINVAL;
> @@ -1824,6 +1835,7 @@ static int ima_parse_rule(struct ima_namespace *ns,
>  		check_template_modsig(template_desc);
>  	}
>  
> +err_audit:
>  	audit_log_format(ab, "res=%d", !result);
>  	audit_log_end(ab);
>  	return result;
> -- 
> 2.34.1
Stefan Berger May 24, 2022, 1:25 p.m. UTC | #2
On 5/22/22 13:38, Serge E. Hallyn wrote:
> On Wed, Apr 20, 2022 at 10:06:19AM -0400, Stefan Berger wrote:
>> Only accept AUDIT rules for non-init_ima_ns namespaces for now. Reject
> 
> This sentence gives me trouble - i keep thinking you mean that you'll
> reject AUDIT rules for init_ima_ns :)  Can you rephrase it as something
> like
> 
> For non-init_ima_ns namespaces, only accept AUDIT rules for now.
> 
> :)
> 
>> all rules that require support for measuring, appraisal, and hashing.
>

I kept the title of the patch but the text now states:

For non-init_ima_ns namespaces, only accept AUDIT rules for now. Reject
all rules that require support for measuring, appraisal, and hashing.



>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> Acked-by: Christian Brauner <brauner@kernel.org>
>> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>>
>> ---
>> v9:
>>    - Jump to err_audit when unsupported rules are detected
>> ---
>>   security/integrity/ima/ima_policy.c | 12 ++++++++++++
>>   1 file changed, 12 insertions(+)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 59e4ae5a6361..45a997709200 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -1812,6 +1812,17 @@ static int ima_parse_rule(struct ima_namespace *ns,
>>   			result = -EINVAL;
>>   			break;
>>   		}
>> +
>> +		/* IMA namespace only accepts AUDIT rules */
>> +		if (ns != &init_ima_ns && result == 0) {
>> +			switch (entry->action) {
>> +			case MEASURE:
>> +			case APPRAISE:
>> +			case HASH:
> 
> So... what about DONT_MEASURE and DONT_APPRAISE?

They don't cause IMA to do anything that is not supported at this point 
so I let them pass. If you set these you still don't get a measurements 
or appraisal and that's good at this point..

> 
>> +				result = -EINVAL;
>> +				goto err_audit;
>> +			}
>> +		}
>>   	}
>>   	if (!result && !ima_validate_rule(entry))
>>   		result = -EINVAL;
>> @@ -1824,6 +1835,7 @@ static int ima_parse_rule(struct ima_namespace *ns,
>>   		check_template_modsig(template_desc);
>>   	}
>>   
>> +err_audit:
>>   	audit_log_format(ab, "res=%d", !result);
>>   	audit_log_end(ab);
>>   	return result;
>> -- 
>> 2.34.1
diff mbox series

Patch

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 59e4ae5a6361..45a997709200 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1812,6 +1812,17 @@  static int ima_parse_rule(struct ima_namespace *ns,
 			result = -EINVAL;
 			break;
 		}
+
+		/* IMA namespace only accepts AUDIT rules */
+		if (ns != &init_ima_ns && result == 0) {
+			switch (entry->action) {
+			case MEASURE:
+			case APPRAISE:
+			case HASH:
+				result = -EINVAL;
+				goto err_audit;
+			}
+		}
 	}
 	if (!result && !ima_validate_rule(entry))
 		result = -EINVAL;
@@ -1824,6 +1835,7 @@  static int ima_parse_rule(struct ima_namespace *ns,
 		check_template_modsig(template_desc);
 	}
 
+err_audit:
 	audit_log_format(ab, "res=%d", !result);
 	audit_log_end(ab);
 	return result;