mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	ima: define a new policy condition based on the filesystem name
If/when file data signatures are distributed with the file data, this patch will not be needed. In the current environment where only some files are signed, the ability to differentiate between file systems is needed. Some file systems consider the file system magic number internal to the file system. This patch defines a new IMA policy condition named "fsname", based on the superblock's file_system_type (sb->s_type) name. This allows policy rules to be expressed in terms of the filesystem name. The following sample rules require file signatures on rootfs files executed or mmap'ed. appraise func=BPRM_CHECK fsname=rootfs appraise_type=imasig appraise func=FILE_MMAP fsname=rootfs appraise_type=imasig Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Dave Chinner <david@fromorbit.com> Cc: Theodore Ts'o <tytso@mit.edu>
This commit is contained in:
		
							parent
							
								
									fa516b66a1
								
							
						
					
					
						commit
						f1b08bbcbd
					
				| @ -21,7 +21,7 @@ Description: | |||||||
| 			audit | hash | dont_hash | 			audit | hash | dont_hash | ||||||
| 		condition:= base | lsm  [option] | 		condition:= base | lsm  [option] | ||||||
| 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] | 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] | ||||||
| 				[euid=] [fowner=]] | 				[euid=] [fowner=] [fsname=]] | ||||||
| 			lsm:	[[subj_user=] [subj_role=] [subj_type=] | 			lsm:	[[subj_user=] [subj_role=] [subj_type=] | ||||||
| 				 [obj_user=] [obj_role=] [obj_type=]] | 				 [obj_user=] [obj_role=] [obj_type=]] | ||||||
| 			option:	[[appraise_type=]] [permit_directio] | 			option:	[[appraise_type=]] [permit_directio] | ||||||
|  | |||||||
| @ -33,6 +33,7 @@ | |||||||
| #define IMA_INMASK	0x0040 | #define IMA_INMASK	0x0040 | ||||||
| #define IMA_EUID	0x0080 | #define IMA_EUID	0x0080 | ||||||
| #define IMA_PCR		0x0100 | #define IMA_PCR		0x0100 | ||||||
|  | #define IMA_FSNAME	0x0200 | ||||||
| 
 | 
 | ||||||
| #define UNKNOWN		0 | #define UNKNOWN		0 | ||||||
| #define MEASURE		0x0001	/* same as IMA_MEASURE */ | #define MEASURE		0x0001	/* same as IMA_MEASURE */ | ||||||
| @ -74,6 +75,7 @@ struct ima_rule_entry { | |||||||
| 		void *args_p;	/* audit value */ | 		void *args_p;	/* audit value */ | ||||||
| 		int type;	/* audit type */ | 		int type;	/* audit type */ | ||||||
| 	} lsm[MAX_LSM_RULES]; | 	} lsm[MAX_LSM_RULES]; | ||||||
|  | 	char *fsname; | ||||||
| }; | }; | ||||||
| 
 | 
 | ||||||
| /*
 | /*
 | ||||||
| @ -273,6 +275,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, | |||||||
| 	if ((rule->flags & IMA_FSMAGIC) | 	if ((rule->flags & IMA_FSMAGIC) | ||||||
| 	    && rule->fsmagic != inode->i_sb->s_magic) | 	    && rule->fsmagic != inode->i_sb->s_magic) | ||||||
| 		return false; | 		return false; | ||||||
|  | 	if ((rule->flags & IMA_FSNAME) | ||||||
|  | 	    && strcmp(rule->fsname, inode->i_sb->s_type->name)) | ||||||
|  | 		return false; | ||||||
| 	if ((rule->flags & IMA_FSUUID) && | 	if ((rule->flags & IMA_FSUUID) && | ||||||
| 	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) | 	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) | ||||||
| 		return false; | 		return false; | ||||||
| @ -540,7 +545,7 @@ enum { | |||||||
| 	Opt_audit, Opt_hash, Opt_dont_hash, | 	Opt_audit, Opt_hash, Opt_dont_hash, | ||||||
| 	Opt_obj_user, Opt_obj_role, Opt_obj_type, | 	Opt_obj_user, Opt_obj_role, Opt_obj_type, | ||||||
| 	Opt_subj_user, Opt_subj_role, Opt_subj_type, | 	Opt_subj_user, Opt_subj_role, Opt_subj_type, | ||||||
| 	Opt_func, Opt_mask, Opt_fsmagic, | 	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, | ||||||
| 	Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, | 	Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, | ||||||
| 	Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, | 	Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, | ||||||
| 	Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, | 	Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, | ||||||
| @ -565,6 +570,7 @@ static match_table_t policy_tokens = { | |||||||
| 	{Opt_func, "func=%s"}, | 	{Opt_func, "func=%s"}, | ||||||
| 	{Opt_mask, "mask=%s"}, | 	{Opt_mask, "mask=%s"}, | ||||||
| 	{Opt_fsmagic, "fsmagic=%s"}, | 	{Opt_fsmagic, "fsmagic=%s"}, | ||||||
|  | 	{Opt_fsname, "fsname=%s"}, | ||||||
| 	{Opt_fsuuid, "fsuuid=%s"}, | 	{Opt_fsuuid, "fsuuid=%s"}, | ||||||
| 	{Opt_uid_eq, "uid=%s"}, | 	{Opt_uid_eq, "uid=%s"}, | ||||||
| 	{Opt_euid_eq, "euid=%s"}, | 	{Opt_euid_eq, "euid=%s"}, | ||||||
| @ -776,6 +782,17 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) | |||||||
| 			if (!result) | 			if (!result) | ||||||
| 				entry->flags |= IMA_FSMAGIC; | 				entry->flags |= IMA_FSMAGIC; | ||||||
| 			break; | 			break; | ||||||
|  | 		case Opt_fsname: | ||||||
|  | 			ima_log_string(ab, "fsname", args[0].from); | ||||||
|  | 
 | ||||||
|  | 			entry->fsname = kstrdup(args[0].from, GFP_KERNEL); | ||||||
|  | 			if (!entry->fsname) { | ||||||
|  | 				result = -ENOMEM; | ||||||
|  | 				break; | ||||||
|  | 			} | ||||||
|  | 			result = 0; | ||||||
|  | 			entry->flags |= IMA_FSNAME; | ||||||
|  | 			break; | ||||||
| 		case Opt_fsuuid: | 		case Opt_fsuuid: | ||||||
| 			ima_log_string(ab, "fsuuid", args[0].from); | 			ima_log_string(ab, "fsuuid", args[0].from); | ||||||
| 
 | 
 | ||||||
| @ -1104,6 +1121,12 @@ int ima_policy_show(struct seq_file *m, void *v) | |||||||
| 		seq_puts(m, " "); | 		seq_puts(m, " "); | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	if (entry->flags & IMA_FSNAME) { | ||||||
|  | 		snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); | ||||||
|  | 		seq_printf(m, pt(Opt_fsname), tbuf); | ||||||
|  | 		seq_puts(m, " "); | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	if (entry->flags & IMA_PCR) { | 	if (entry->flags & IMA_PCR) { | ||||||
| 		snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); | 		snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); | ||||||
| 		seq_printf(m, pt(Opt_pcr), tbuf); | 		seq_printf(m, pt(Opt_pcr), tbuf); | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Mimi Zohar
						Mimi Zohar