picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

ima: Write the policy filename into IMA's sysfs policy file (#4766)

Browse source 
IMA validates file signatures based on the security.ima xattr. As of
Linux-4.7, instead of copying the IMA policy into the securityfs policy,
the IMA policy pathname can be written, allowing the IMA policy file
signature to be validated.

This patch modifies the existing code to first attempt to write the
pathname, but on failure falls back to copying the IMA policy contents.
This commit is contained in:
Stefan Berger 2016-11-29 10:47:20 -05:00 committed by Zbigniew Jędrzejewski-Szmek
parent 664e7984f8
commit e8e42b31c5
1 changed files with 18 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
src/core/ima-setup.c
View file

@ -44,6 +44,22 @@ int ima_setup(void) {
return 0;
}
if (access(IMA_SECFS_POLICY, W_OK) < 0) {
log_warning("Another IMA custom policy has already been loaded, ignoring.");
return 0;
}
imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
if (imafd < 0) {
log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
return 0;
}
/* attempt to write the name of the policy file into sysfs file */
if (write(imafd, IMA_POLICY_PATH, strlen(IMA_POLICY_PATH)) > 0)
goto done;
/* fall back to copying the policy line-by-line */
input = fopen(IMA_POLICY_PATH, "re");
if (!input) {
log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
@ -51,10 +67,7 @@ int ima_setup(void) {
return 0;
}
if (access(IMA_SECFS_POLICY, F_OK) < 0) {
log_warning("Another IMA custom policy has already been loaded, ignoring.");
return 0;
}
close(imafd);
imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
if (imafd < 0) {
@ -74,6 +87,7 @@ int ima_setup(void) {
lineno);
}
done:
log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
#endif /* HAVE_IMA */
return 0;