Re: [PATCH 2/2] ima: add policy support for file system uuid

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Rientjes <rientjes@google.com>
Cc: linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Subject: Re: [PATCH 2/2] ima: add policy support for file system uuid
Date: Thu, 21 Feb 2013 20:46:30 -0500	[thread overview]
Message-ID: <1361497590.29360.121.camel@falcor1> (raw)
In-Reply-To: <alpine.DEB.2.02.1302211352270.28115@chino.kir.corp.google.com>

On Thu, 2013-02-21 at 13:54 -0800, David Rientjes wrote:
> On Tue, 5 Feb 2013, Mimi Zohar wrote:
> 
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 4adcd0f..23f49e3 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -16,6 +16,7 @@
> >  #include <linux/magic.h>
> >  #include <linux/parser.h>
> >  #include <linux/slab.h>
> > +#include <linux/genhd.h>
> >  
> >  #include "ima.h"
> >  
> > @@ -25,6 +26,7 @@
> >  #define IMA_FSMAGIC	0x0004
> >  #define IMA_UID		0x0008
> >  #define IMA_FOWNER	0x0010
> > +#define IMA_FSUUID	0x0020
> >  
> >  #define UNKNOWN		0
> >  #define MEASURE		0x0001	/* same as IMA_MEASURE */
> > @@ -45,6 +47,7 @@ struct ima_rule_entry {
> >  	enum ima_hooks func;
> >  	int mask;
> >  	unsigned long fsmagic;
> > +	u8 fsuuid[16];
> >  	kuid_t uid;
> >  	kuid_t fowner;
> >  	struct {
> > @@ -172,6 +175,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> >  	if ((rule->flags & IMA_FSMAGIC)
> >  	    && rule->fsmagic != inode->i_sb->s_magic)
> >  		return false;
> > +	if ((rule->flags & IMA_FSUUID) &&
> > +		memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid)))
> > +		return false;
> >  	if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
> >  		return false;
> >  	if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
> > @@ -346,7 +352,7 @@ enum {
> >  	Opt_obj_user, Opt_obj_role, Opt_obj_type,
> >  	Opt_subj_user, Opt_subj_role, Opt_subj_type,
> >  	Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
> > -	Opt_appraise_type
> > +	Opt_appraise_type, Opt_fsuuid
> >  };
> >  
> >  static match_table_t policy_tokens = {
> > @@ -364,6 +370,7 @@ static match_table_t policy_tokens = {
> >  	{Opt_func, "func=%s"},
> >  	{Opt_mask, "mask=%s"},
> >  	{Opt_fsmagic, "fsmagic=%s"},
> > +	{Opt_fsuuid, "fsuuid=%s"},
> >  	{Opt_uid, "uid=%s"},
> >  	{Opt_fowner, "fowner=%s"},
> >  	{Opt_appraise_type, "appraise_type=%s"},
> > @@ -519,6 +526,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> >  			if (!result)
> >  				entry->flags |= IMA_FSMAGIC;
> >  			break;
> > +		case Opt_fsuuid:
> > +			ima_log_string(ab, "fsuuid", args[0].from);
> > +
> > +			if (memchr_inv(entry->fsuuid, 0x00,
> > +			    sizeof(entry->fsuuid))) {
> > +				result = -EINVAL;
> > +				break;
> > +			}
> > +
> > +			part_pack_uuid(args[0].from, entry->fsuuid);
> > +			entry->flags |= IMA_FSUUID;
> > +			result = 0;
> > +			break;
> >  		case Opt_uid:
> >  			ima_log_string(ab, "uid", args[0].from);
> >  
> 
> We don't have part_pack_uuid() without CONFIG_BLOCK, so should this return 
> -ENOTSUPP if that option is not enabled?

Yes, this problem showed up in Randy's randconfig.  He suggested moving
part_pack_uuid() outside of the "ifdef CONFIG_BLOCK" to always make it
visible - http://marc.info/?l=linux-next&m=136139276002173&w=2.

thanks,

Mimi

next prev parent reply	other threads:[~2013-02-22  1:46 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-05 13:28 [PATCH 1/2] evm: add file system uuid to EVM hmac Mimi Zohar
2013-02-05 13:28 ` [PATCH 2/2] ima: add policy support for file system uuid Mimi Zohar
2013-02-21 21:54   ` David Rientjes
2013-02-22  1:46     ` Mimi Zohar [this message]
2013-02-22 10:39       ` David Rientjes

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1361497590.29360.121.camel@falcor1 \
    --to=zohar@linux.vnet.ibm.com \
    --cc=dmitry.kasatkin@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=rientjes@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.