* [PATCH 1/2] systemd: mount the securityfs filesystem at early stage @ 2012-02-22 14:52 Roberto Sassu 2012-02-22 14:52 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-02-22 14:52 UTC (permalink / raw) To: systemd-devel Cc: linux-security-module, linux-ima-user, initramfs, ramunno, zohar, mzerqung, harald, Roberto Sassu [-- Attachment #1: Type: text/plain, Size: 3890 bytes --] The mount of the securityfs filesystem is now performed in the main systemd executable as it is used by IMA to provide the interface for loading custom policies. The unit file 'units/sys-kernel-security.mount' has been removed because it is not longer necessary. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> --- Makefile.am | 3 --- src/mount-setup.c | 6 ++++-- units/sys-kernel-security.mount | 17 ----------------- 3 files changed, 4 insertions(+), 22 deletions(-) delete mode 100644 units/sys-kernel-security.mount diff --git a/Makefile.am b/Makefile.am index ab5000b..5a50e15 100644 --- a/Makefile.am +++ b/Makefile.am @@ -291,7 +291,6 @@ dist_systemunit_DATA = \ units/dev-mqueue.mount \ units/sys-kernel-config.mount \ units/sys-kernel-debug.mount \ - units/sys-kernel-security.mount \ units/sys-fs-fuse-connections.mount \ units/var-run.mount \ units/media.mount \ @@ -2342,7 +2341,6 @@ systemd-install-data-hook: dev-mqueue.mount \ sys-kernel-config.mount \ sys-kernel-debug.mount \ - sys-kernel-security.mount \ sys-fs-fuse-connections.mount \ systemd-modules-load.service \ systemd-tmpfiles-setup.service \ @@ -2352,7 +2350,6 @@ systemd-install-data-hook: $(LN_S) ../dev-mqueue.mount dev-mqueue.mount && \ $(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount && \ $(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount && \ - $(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount && \ $(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \ $(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \ $(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \ diff --git a/src/mount-setup.c b/src/mount-setup.c index 7c14ea8..75d5cae 100644 --- a/src/mount-setup.c +++ b/src/mount-setup.c @@ -51,13 +51,15 @@ typedef struct MountPoint { } MountPoint; /* The first three entries we might need before SELinux is up. The - * other ones we can delay until SELinux is loaded. */ -#define N_EARLY_MOUNT 3 + * fourth (securityfs) is needed by IMA to load a custom policy. The + * other ones we can delay until SELinux and IMA are loaded. */ +#define N_EARLY_MOUNT 4 static const MountPoint mount_table[] = { { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true }, { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true }, { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV, true }, { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false }, { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true }, diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount deleted file mode 100644 index 80cd761..0000000 --- a/units/sys-kernel-security.mount +++ /dev/null @@ -1,17 +0,0 @@ -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. - -[Unit] -Description=Security File System -DefaultDependencies=no -ConditionPathExists=/sys/kernel/security -Before=sysinit.target - -[Mount] -What=securityfs -Where=/sys/kernel/security -Type=securityfs -- 1.7.7.6 [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 2061 bytes --] ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 2/2] main: added support for loading IMA custom policies 2012-02-22 14:52 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu @ 2012-02-22 14:52 ` Roberto Sassu [not found] ` <1329922381-13451-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-02-22 14:52 UTC (permalink / raw) To: systemd-devel Cc: initramfs, linux-ima-user, linux-security-module, mzerqung, Roberto Sassu, zohar, harald, ramunno [-- Attachment #1.1: Type: text/plain, Size: 9605 bytes --] The new function ima_setup() loads an IMA custom policy from a file in the default location '/etc/ima/ima-policy', if present, and writes it to the path 'ima/policy' in the security filesystem. This function is executed at early stage in order to avoid that some file operations are not measured by IMA and it is placed after the initialization of SELinux because IMA needs the latter (or other security modules) to understand LSM-specific rules. This feature is disabled by default and can be enabled by providing the option '--enable-ima' to the configure script. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> --- Makefile.am | 1 + configure.ac | 14 ++++++ src/build.h | 8 +++- src/ima-setup.c | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/ima-setup.h | 29 +++++++++++++ src/main.c | 6 ++- 6 files changed, 181 insertions(+), 2 deletions(-) create mode 100644 src/ima-setup.c create mode 100644 src/ima-setup.h diff --git a/Makefile.am b/Makefile.am index 5a50e15..6e6d79e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -515,6 +515,7 @@ libsystemd_core_la_SOURCES = \ src/mount-setup.c \ src/hostname-setup.c \ src/selinux-setup.c \ + src/ima-setup.c \ src/loopback-setup.c \ src/kmod-setup.c \ src/locale-setup.c \ diff --git a/configure.ac b/configure.ac index 62e8cdf..93d3984 100644 --- a/configure.ac +++ b/configure.ac @@ -127,6 +127,19 @@ PKG_CHECK_MODULES(UDEV, [ libudev >= 172 ]) PKG_CHECK_MODULES(DBUS, [ dbus-1 >= 1.3.2 ]) PKG_CHECK_MODULES(KMOD, [ libkmod >= 5 ]) +have_ima=no +AC_ARG_ENABLE([ima], AS_HELP_STRING([--disable-ima],[Disable optional IMA support]), + [case "${enableval}" in + yes) have_ima=yes ;; + no) have_ima=no ;; + *) AC_MSG_ERROR(bad value ${enableval} for --disable-ima) ;; + esac], + [have_ima=no]) + +if test "x${have_ima}" != xno ; then + AC_DEFINE(HAVE_IMA, 1, [Define if IMA is available]) +fi + have_selinux=no AC_ARG_ENABLE(selinux, AS_HELP_STRING([--disable-selinux], [Disable optional SELINUX support])) if test "x$enable_selinux" != "xno"; then @@ -628,6 +641,7 @@ AC_MSG_RESULT([ tcpwrap: ${have_tcpwrap} PAM: ${have_pam} AUDIT: ${have_audit} + IMA: ${have_ima} SELinux: ${have_selinux} XZ: ${have_xz} ACL: ${have_acl} diff --git a/src/build.h b/src/build.h index 50cd79d..0619013 100644 --- a/src/build.h +++ b/src/build.h @@ -46,6 +46,12 @@ #define _SELINUX_FEATURE_ "-SELINUX" #endif +#ifdef HAVE_IMA +#define _IMA_FEATURE_ "+IMA" +#else +#define _IMA_FEATURE_ "-IMA" +#endif + #ifdef HAVE_SYSV_COMPAT #define _SYSVINIT_FEATURE_ "+SYSVINIT" #else @@ -58,6 +64,6 @@ #define _LIBCRYPTSETUP_FEATURE_ "-LIBCRYPTSETUP" #endif -#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ +#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ #endif diff --git a/src/ima-setup.c b/src/ima-setup.c new file mode 100644 index 0000000..81eb043 --- /dev/null +++ b/src/ima-setup.c @@ -0,0 +1,125 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy + TORSEC group -- http://security.polito.it + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <unistd.h> +#include <stdio.h> +#include <errno.h> +#include <string.h> +#include <stdlib.h> +#include <fcntl.h> +#include <sys/stat.h> +#include <sys/mman.h> + +#include "ima-setup.h" +#include "mount-setup.h" +#include "macro.h" +#include "util.h" +#include "log.h" +#include "label.h" + +#define IMA_SECFS_DIR "/sys/kernel/security/ima" +#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy" +#define IMA_POLICY_PATH "/etc/ima/ima-policy" + +int ima_setup(void) { + +#ifdef HAVE_IMA + struct stat st; + ssize_t policy_size = 0, written = 0; + char *policy; + int policyfd = -1, imafd = -1; + int policy_line_number = 1; + int result = 0; + +#ifndef HAVE_SELINUX + /* Mount the securityfs filesystem */ + mount_setup_early(); +#endif + + if (stat(IMA_POLICY_PATH, &st) < 0) + return 0; + + policy_size = st.st_size; + if (stat(IMA_SECFS_DIR, &st) < 0) { + log_debug("IMA support is disabled in the kernel, ignoring."); + return 0; + } + + if (stat(IMA_SECFS_POLICY, &st) < 0) { + log_error("Another IMA custom policy has already been loaded, " + "ignoring."); + return 0; + } + + policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC); + if (policyfd < 0) { + log_error("Failed to open the IMA custom policy file %s (%m), " + "ignoring.", IMA_POLICY_PATH); + return 0; + } + + imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); + if (imafd < 0) { + log_error("Failed to open the IMA kernel interface %s (%m), " + "ignoring.", IMA_SECFS_POLICY); + goto out; + } + + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); + if (policy == MAP_FAILED) { + log_error("mmap() failed (%m), freezing"); + result = -errno; + goto out; + } + + while(written < policy_size) { + ssize_t len = write(imafd, policy + written, + policy_size - written); + if (len <= 0) { + if (errno == EINVAL) + log_error("Invalid line #%d in the IMA custom policy file %s", + policy_line_number, IMA_POLICY_PATH); + + log_error("Failed to load the IMA custom policy " + "file %s (%m), ignoring.", IMA_POLICY_PATH); + goto out_mmap; + } + written += len; + policy_line_number++; + } + + log_info("Successfully loaded the IMA custom policy %s.", + IMA_POLICY_PATH); +out_mmap: + munmap(policy, policy_size); +out: + if (policyfd >= 0) + close_nointr_nofail(policyfd); + if (imafd >= 0) + close_nointr_nofail(imafd); + if (result) + return result; +#endif /* HAVE_IMA */ + + return 0; +} diff --git a/src/ima-setup.h b/src/ima-setup.h new file mode 100644 index 0000000..7d677cf --- /dev/null +++ b/src/ima-setup.h @@ -0,0 +1,29 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +#ifndef fooimasetuphfoo +#define fooimasetuphfoo + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy + TORSEC group -- http://security.polito.it + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +int ima_setup(void); + +#endif diff --git a/src/main.c b/src/main.c index ed317b4..7ae8841 100644 --- a/src/main.c +++ b/src/main.c @@ -41,6 +41,7 @@ #include "kmod-setup.h" #include "locale-setup.h" #include "selinux-setup.h" +#include "ima-setup.h" #include "machine-id-setup.h" #include "load-fragment.h" #include "fdset.h" @@ -1203,9 +1204,12 @@ int main(int argc, char *argv[]) { arg_running_as = MANAGER_SYSTEM; log_set_target(detect_container(NULL) > 0 ? LOG_TARGET_CONSOLE : LOG_TARGET_JOURNAL_OR_KMSG); - if (!is_reexec) + if (!is_reexec) { if (selinux_setup(&loaded_policy) < 0) goto finish; + if (ima_setup() < 0) + goto finish; + } log_open(); -- 1.7.7.6 [-- Attachment #1.2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 2061 bytes --] [-- Attachment #2: Type: text/plain, Size: 171 bytes --] _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel ^ permalink raw reply related [flat|nested] 17+ messages in thread
[parent not found: <1329922381-13451-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>]
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <1329922381-13451-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> @ 2012-03-05 14:39 ` Lennart Poettering 2012-03-05 16:15 ` Roberto Sassu 0 siblings, 1 reply; 17+ messages in thread From: Lennart Poettering @ 2012-03-05 14:39 UTC (permalink / raw) To: Roberto Sassu Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, initramfs-u79uwXL29TY76Z2rM5mHXA, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On Wed, 22.02.12 15:52, Roberto Sassu (roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org) wrote: Heya, > + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); > + if (policy == MAP_FAILED) { > + log_error("mmap() failed (%m), freezing"); > + result = -errno; > + goto out; > + } > + > + while(written < policy_size) { > + ssize_t len = write(imafd, policy + written, > + policy_size - written); > + if (len <= 0) { > + if (errno == EINVAL) > + log_error("Invalid line #%d in the IMA custom policy file %s", > + policy_line_number, IMA_POLICY_PATH); > + > + log_error("Failed to load the IMA custom policy " > + "file %s (%m), ignoring.", IMA_POLICY_PATH); > + goto out_mmap; > + } > + written += len; > + policy_line_number++; I don't understand the counting here of policy_line_number? You attempt to write the whole policy at once, no? How does this counting of line numbers work here then? Or does the write() call on the kernel file actually only accept one line at a time? If that's the case is it really a good idea to rely on that behaviour? Knowing how these things go eventually things might get optimized to read more than one line at once and then the counting here will be off. Maybe it makes sense to drop the counting entirely here? (Something else thing that gets me thinking: by mmap()ing the source file you imply that the policy can never grow beyond 2G or so. I presume that's not a problem, right?) Otherwise looks good. Lennart -- Lennart Poettering - Red Hat, Inc. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 2/2] main: added support for loading IMA custom policies 2012-03-05 14:39 ` [systemd-devel] " Lennart Poettering @ 2012-03-05 16:15 ` Roberto Sassu [not found] ` <4F54E688.2020306-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-03-05 16:15 UTC (permalink / raw) To: Lennart Poettering Cc: initramfs, systemd-devel, linux-ima-user, linux-security-module, zohar, harald, ramunno On 03/05/2012 03:39 PM, Lennart Poettering wrote: > On Wed, 22.02.12 15:52, Roberto Sassu (roberto.sassu@polito.it) wrote: > > Heya, > >> + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); >> + if (policy == MAP_FAILED) { >> + log_error("mmap() failed (%m), freezing"); >> + result = -errno; >> + goto out; >> + } >> + >> + while(written< policy_size) { >> + ssize_t len = write(imafd, policy + written, >> + policy_size - written); >> + if (len<= 0) { >> + if (errno == EINVAL) >> + log_error("Invalid line #%d in the IMA custom policy file %s", >> + policy_line_number, IMA_POLICY_PATH); >> + >> + log_error("Failed to load the IMA custom policy " >> + "file %s (%m), ignoring.", IMA_POLICY_PATH); >> + goto out_mmap; >> + } >> + written += len; >> + policy_line_number++; > > I don't understand the counting here of policy_line_number? You attempt > to write the whole policy at once, no? How does this counting of line > numbers work here then? Or does the write() call on the kernel file > actually only accept one line at a time? If that's the case is it really > a good idea to rely on that behaviour? Knowing how these things go > eventually things might get optimized to read more than one line at once > and then the counting here will be off. Maybe it makes sense to drop the > counting entirely here? > Hi Lennart yes, the kernel interface accepts only one line at time. I implemented this code because it is not possible to known from the kernel logs what is the invalid line if the policy contains several lines. Indeed, IMA sends an audit message for each parsed rule, so that some are dropped due to the rate limit of audit. I agree that is not a good idea writing a code that depends on the specific implementation of how the policy loading is handled. So, a solution may be to drop the counting code here and to solve the issue by allowing IMA to send an audit message only when an invalid rule is encountered. Mimi, do you agree with that? Thanks Roberto Sassu > (Something else thing that gets me thinking: by mmap()ing the source > file you imply that the policy can never grow beyond 2G or so. I presume > that's not a problem, right?) > > Otherwise looks good. > > Lennart > ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <4F54E688.2020306-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>]
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <4F54E688.2020306-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> @ 2012-03-05 18:11 ` Mimi Zohar 0 siblings, 0 replies; 17+ messages in thread From: Mimi Zohar @ 2012-03-05 18:11 UTC (permalink / raw) To: Roberto Sassu Cc: Lennart Poettering, systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, initramfs-u79uwXL29TY76Z2rM5mHXA, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On Mon, 2012-03-05 at 17:15 +0100, Roberto Sassu wrote: > On 03/05/2012 03:39 PM, Lennart Poettering wrote: > > On Wed, 22.02.12 15:52, Roberto Sassu (roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org) wrote: > > > > Heya, > > > >> + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); > >> + if (policy == MAP_FAILED) { > >> + log_error("mmap() failed (%m), freezing"); > >> + result = -errno; > >> + goto out; > >> + } > >> + > >> + while(written< policy_size) { > >> + ssize_t len = write(imafd, policy + written, > >> + policy_size - written); > >> + if (len<= 0) { > >> + if (errno == EINVAL) > >> + log_error("Invalid line #%d in the IMA custom policy file %s", > >> + policy_line_number, IMA_POLICY_PATH); > >> + > >> + log_error("Failed to load the IMA custom policy " > >> + "file %s (%m), ignoring.", IMA_POLICY_PATH); > >> + goto out_mmap; > >> + } > >> + written += len; > >> + policy_line_number++; > > > > I don't understand the counting here of policy_line_number? You attempt > > to write the whole policy at once, no? How does this counting of line > > numbers work here then? Or does the write() call on the kernel file > > actually only accept one line at a time? If that's the case is it really > > a good idea to rely on that behaviour? Knowing how these things go > > eventually things might get optimized to read more than one line at once > > and then the counting here will be off. Maybe it makes sense to drop the > > counting entirely here? > > > > Hi Lennart > > yes, the kernel interface accepts only one line at time. I implemented > this code because it is not possible to known from the kernel logs what > is the invalid line if the policy contains several lines. Indeed, IMA > sends an audit message for each parsed rule, so that some are dropped > due to the rate limit of audit. > > I agree that is not a good idea writing a code that depends on the > specific implementation of how the policy loading is handled. So, a > solution may be to drop the counting code here and to solve the issue > by allowing IMA to send an audit message only when an invalid rule is > encountered. > > Mimi, do you agree with that? With the audit log rate limiting, the current method is not very informative. How about implementing the securityfs 'read' ops to display the rules? Then, displaying only the invalid rule makes sense. thanks, Mimi ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 1/2] systemd: mount the securityfs filesystem at early stage @ 2012-02-15 13:23 Roberto Sassu 2012-02-15 13:23 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-02-15 13:23 UTC (permalink / raw) To: systemd-devel Cc: linux-security-module, linux-ima-user, initramfs, ramunno, zohar, mzerqung, harald, Roberto Sassu [-- Attachment #1: Type: text/plain, Size: 4231 bytes --] The mount of the securityfs filesystem is now performed in the main systemd executable as it is used by IMA to provide the interface for loading custom policies. The unit file 'units/sys-kernel-security.mount' has been removed because it is not longer necessary. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> --- Makefile.am | 3 --- src/mount-setup.c | 6 ++++-- src/mount-setup.h | 2 ++ units/sys-kernel-security.mount | 17 ----------------- 4 files changed, 6 insertions(+), 22 deletions(-) delete mode 100644 units/sys-kernel-security.mount diff --git a/Makefile.am b/Makefile.am index 983ea16..d3d0ed8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -291,7 +291,6 @@ dist_systemunit_DATA = \ units/dev-mqueue.mount \ units/sys-kernel-config.mount \ units/sys-kernel-debug.mount \ - units/sys-kernel-security.mount \ units/sys-fs-fuse-connections.mount \ units/var-run.mount \ units/media.mount \ @@ -2374,7 +2373,6 @@ systemd-install-data-hook: dev-mqueue.mount \ sys-kernel-config.mount \ sys-kernel-debug.mount \ - sys-kernel-security.mount \ sys-fs-fuse-connections.mount \ systemd-modules-load.service \ systemd-tmpfiles-setup.service \ @@ -2384,7 +2382,6 @@ systemd-install-data-hook: $(LN_S) ../dev-mqueue.mount dev-mqueue.mount && \ $(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount && \ $(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount && \ - $(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount && \ $(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \ $(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \ $(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \ diff --git a/src/mount-setup.c b/src/mount-setup.c index 7c14ea8..62bf743 100644 --- a/src/mount-setup.c +++ b/src/mount-setup.c @@ -51,13 +51,15 @@ typedef struct MountPoint { } MountPoint; /* The first three entries we might need before SELinux is up. The - * other ones we can delay until SELinux is loaded. */ -#define N_EARLY_MOUNT 3 + * fourth (securityfs) is needed by IMA to load a custom policy. The + * other ones we can delay until SELinux and IMA are loaded. */ +#define N_EARLY_MOUNT 4 static const MountPoint mount_table[] = { { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true }, { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true }, + { "securityfs", SECURITYFS_MNTPOINT, "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false }, { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV, true }, { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false }, { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true }, diff --git a/src/mount-setup.h b/src/mount-setup.h index c1a27ba..df6f518 100644 --- a/src/mount-setup.h +++ b/src/mount-setup.h @@ -24,6 +24,8 @@ #include <stdbool.h> +#define SECURITYFS_MNTPOINT "/sys/kernel/security" + int mount_setup_early(void); int mount_setup(bool loaded_policy); diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount deleted file mode 100644 index 80cd761..0000000 --- a/units/sys-kernel-security.mount +++ /dev/null @@ -1,17 +0,0 @@ -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. - -[Unit] -Description=Security File System -DefaultDependencies=no -ConditionPathExists=/sys/kernel/security -Before=sysinit.target - -[Mount] -What=securityfs -Where=/sys/kernel/security -Type=securityfs -- 1.7.7.6 [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 2061 bytes --] ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 2/2] main: added support for loading IMA custom policies 2012-02-15 13:23 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu @ 2012-02-15 13:23 ` Roberto Sassu [not found] ` <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-02-15 13:23 UTC (permalink / raw) To: systemd-devel Cc: linux-security-module, linux-ima-user, initramfs, ramunno, zohar, mzerqung, harald, Roberto Sassu [-- Attachment #1: Type: text/plain, Size: 7103 bytes --] The new function ima_setup() loads an IMA custom policy from a file in the default location '/etc/sysconfig/ima-policy', if present, and writes it to the path 'ima/policy' in the security filesystem. This function is executed at early stage in order to avoid that some file operations are not measured by IMA and it is placed after the initialization of SELinux because IMA needs the latter (or other security modules) to understand LSM-specific rules. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> --- Makefile.am | 1 + src/ima-setup.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/ima-setup.h | 29 ++++++++++++++ src/main.c | 6 ++- 4 files changed, 149 insertions(+), 1 deletions(-) create mode 100644 src/ima-setup.c create mode 100644 src/ima-setup.h diff --git a/Makefile.am b/Makefile.am index d3d0ed8..7476caa 100644 --- a/Makefile.am +++ b/Makefile.am @@ -515,6 +515,7 @@ libsystemd_core_la_SOURCES = \ src/mount-setup.c \ src/hostname-setup.c \ src/selinux-setup.c \ + src/ima-setup.c \ src/loopback-setup.c \ src/kmod-setup.c \ src/locale-setup.c \ diff --git a/src/ima-setup.c b/src/ima-setup.c new file mode 100644 index 0000000..45afc0c --- /dev/null +++ b/src/ima-setup.c @@ -0,0 +1,114 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy + TORSEC group -- http://security.polito.it + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <unistd.h> +#include <stdio.h> +#include <errno.h> +#include <string.h> +#include <stdlib.h> +#include <fcntl.h> +#include <sys/stat.h> +#include <sys/mman.h> + +#include "ima-setup.h" +#include "mount-setup.h" +#include "macro.h" +#include "util.h" +#include "log.h" +#include "label.h" + +#define IMA_SECFS_DIR SECURITYFS_MNTPOINT "/ima" +#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy" +#define IMA_POLICY_PATH "/etc/sysconfig/ima-policy" + +int ima_setup(void) { + struct stat st; + ssize_t policy_size = 0, written = 0; + char *policy; + int policyfd = -1, imafd = -1; + int result = 0; + +#ifndef HAVE_SELINUX + /* Mount the securityfs filesystem */ + mount_setup_early(); +#endif + + if (stat(IMA_POLICY_PATH, &st) == -1) + return 0; + + policy_size = st.st_size; + if (stat(IMA_SECFS_DIR, &st) == -1) { + log_debug("IMA support is disabled in the kernel, ignoring."); + return 0; + } + + if (stat(IMA_SECFS_POLICY, &st) == -1) { + log_error("Another IMA custom policy has already been loaded, " + "ignoring."); + return 0; + } + + policyfd = open(IMA_POLICY_PATH, O_RDONLY); + if (policyfd < 0) { + log_error("Failed to open the IMA custom policy file %s (%s), " + "ignoring.", IMA_POLICY_PATH, strerror(errno)); + return 0; + } + + imafd = open(IMA_SECFS_POLICY, O_WRONLY); + if (imafd < 0) { + log_error("Failed to open the IMA kernel interface %s (%s), " + "ignoring.", IMA_SECFS_POLICY, strerror(errno)); + goto out; + } + + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); + if (policy == NULL) { + log_error("mmap() failed (%s), freezing", strerror(errno)); + result = -errno; + goto out; + } + + while(written < policy_size) { + ssize_t len = write(imafd, policy + written, + policy_size - written); + if (len <= 0) { + log_error("Failed to load the IMA custom policy " + "file %s (%s), ignoring.", IMA_POLICY_PATH, + strerror(errno)); + goto out_mmap; + } + written += len; + } + + log_info("Successfully loaded the IMA custom policy %s.", + IMA_POLICY_PATH); +out_mmap: + munmap(policy, policy_size); +out: + if (policyfd >= 0) + close_nointr_nofail(policyfd); + if (imafd >= 0) + close_nointr_nofail(imafd); + return result; +} diff --git a/src/ima-setup.h b/src/ima-setup.h new file mode 100644 index 0000000..7d677cf --- /dev/null +++ b/src/ima-setup.h @@ -0,0 +1,29 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +#ifndef fooimasetuphfoo +#define fooimasetuphfoo + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy + TORSEC group -- http://security.polito.it + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +int ima_setup(void); + +#endif diff --git a/src/main.c b/src/main.c index ed317b4..7ae8841 100644 --- a/src/main.c +++ b/src/main.c @@ -41,6 +41,7 @@ #include "kmod-setup.h" #include "locale-setup.h" #include "selinux-setup.h" +#include "ima-setup.h" #include "machine-id-setup.h" #include "load-fragment.h" #include "fdset.h" @@ -1203,9 +1204,12 @@ int main(int argc, char *argv[]) { arg_running_as = MANAGER_SYSTEM; log_set_target(detect_container(NULL) > 0 ? LOG_TARGET_CONSOLE : LOG_TARGET_JOURNAL_OR_KMSG); - if (!is_reexec) + if (!is_reexec) { if (selinux_setup(&loaded_policy) < 0) goto finish; + if (ima_setup() < 0) + goto finish; + } log_open(); -- 1.7.7.6 [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 2061 bytes --] ^ permalink raw reply related [flat|nested] 17+ messages in thread
[parent not found: <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>]
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> @ 2012-02-15 14:30 ` Gustavo Sverzut Barbieri 2012-02-15 16:26 ` Roberto Sassu 2012-02-20 17:12 ` Lennart Poettering 1 sibling, 1 reply; 17+ messages in thread From: Gustavo Sverzut Barbieri @ 2012-02-15 14:30 UTC (permalink / raw) To: Roberto Sassu Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, initramfs-u79uwXL29TY76Z2rM5mHXA, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, mzerqung-uLTowLwuiw4b1SvskN2V4Q, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote: > The new function ima_setup() loads an IMA custom policy from a file in the > default location '/etc/sysconfig/ima-policy', if present, and writes it to isn't /etc/sysconfig too specific to Fedora? Also, I certainly have no such things in my system and see no point in calling ima_setup() on it. Or even compiling the source file in such case. -- Gustavo Sverzut Barbieri http://profusion.mobi embedded systems -------------------------------------- MSN: barbieri-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Skype: gsbarbieri Mobile: +55 (19) 9225-2202 ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 2/2] main: added support for loading IMA custom policies 2012-02-15 14:30 ` [systemd-devel] " Gustavo Sverzut Barbieri @ 2012-02-15 16:26 ` Roberto Sassu [not found] ` <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-02-15 16:26 UTC (permalink / raw) To: Gustavo Sverzut Barbieri Cc: initramfs, systemd-devel, linux-ima-user, linux-security-module, mzerqung, zohar, harald, ramunno On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote: > On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<roberto.sassu@polito.it> wrote: >> The new function ima_setup() loads an IMA custom policy from a file in the >> default location '/etc/sysconfig/ima-policy', if present, and writes it to > > isn't /etc/sysconfig too specific to Fedora? > Hi Gustavo probably yes. I see the code in 'src/locale-setup.c' where the the configuration directory depends on the target distribution. I can implement something like that in my patch. > Also, I certainly have no such things in my system and see no point in > calling ima_setup() on it. Or even compiling the source file in such > case. > Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA' statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA definition to yes. Instead, the code can be enabled for example by adding the parameter '--enable_ima' in the configure script. Regards Roberto Sassu ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>]
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> @ 2012-02-15 16:55 ` Gustavo Sverzut Barbieri [not found] ` <CAPdpN3C0xDeVBrbDxesPdEV+owf-q_wxUHTmr4YDCHw=NgPV1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2012-02-20 17:13 ` Lennart Poettering 1 sibling, 1 reply; 17+ messages in thread From: Gustavo Sverzut Barbieri @ 2012-02-15 16:55 UTC (permalink / raw) To: Roberto Sassu Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, initramfs-u79uwXL29TY76Z2rM5mHXA, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, mzerqung-uLTowLwuiw4b1SvskN2V4Q, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote: > > On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote: >> >> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<roberto.sassu@polito.it> Â wrote: >>> >>> The new function ima_setup() loads an IMA custom policy from a file in the >>> default location '/etc/sysconfig/ima-policy', if present, and writes it to >> >> >> isn't /etc/sysconfig too specific to Fedora? >> > > Hi Gustavo > > probably yes. I see the code in 'src/locale-setup.c' where the > the configuration directory depends on the target distribution. > I can implement something like that in my patch. Can't IMA be changed? Lennart seems to be pushing for distribution independent location files. If you can get IMA people to agree on something, just use this one instead. People that use IMA with systemd must use this location. Eventually this will happen with every configuration file we support. >> Also, I certainly have no such things in my system and see no point in >> calling ima_setup() on it. Or even compiling the source file in such >> case. >> > > Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA' > statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA > definition to yes. Instead, the code can be enabled for example by > adding the parameter '--enable_ima' in the configure script. okay. -- Gustavo Sverzut Barbieri http://profusion.mobi embedded systems -------------------------------------- MSN: barbieri-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Skype: gsbarbieri Mobile: +55 (19) 9225-2202 ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <CAPdpN3C0xDeVBrbDxesPdEV+owf-q_wxUHTmr4YDCHw=NgPV1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <CAPdpN3C0xDeVBrbDxesPdEV+owf-q_wxUHTmr4YDCHw=NgPV1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2012-02-15 17:12 ` Roberto Sassu 2012-02-20 17:14 ` Lennart Poettering 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-02-15 17:12 UTC (permalink / raw) To: Gustavo Sverzut Barbieri Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, initramfs-u79uwXL29TY76Z2rM5mHXA, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, mzerqung-uLTowLwuiw4b1SvskN2V4Q, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote: > On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu<roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote: >> >> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote: >>> >>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote: >>>> >>>> The new function ima_setup() loads an IMA custom policy from a file in the >>>> default location '/etc/sysconfig/ima-policy', if present, and writes it to >>> >>> >>> isn't /etc/sysconfig too specific to Fedora? >>> >> >> Hi Gustavo >> >> probably yes. I see the code in 'src/locale-setup.c' where the >> the configuration directory depends on the target distribution. >> I can implement something like that in my patch. > > Can't IMA be changed? Lennart seems to be pushing for distribution > independent location files. If you can get IMA people to agree on > something, just use this one instead. > > People that use IMA with systemd must use this location. Eventually > this will happen with every configuration file we support. > The location of the policy file is not IMA dependent. I chose that because it seemed to me the right place where to put this file. So, i can easily modify the location to be distribution independent but i don't known which directory would be appropriate. Any proposal? Regards Roberto Sassu > >>> Also, I certainly have no such things in my system and see no point in >>> calling ima_setup() on it. Or even compiling the source file in such >>> case. >>> >> >> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA' >> statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA >> definition to yes. Instead, the code can be enabled for example by >> adding the parameter '--enable_ima' in the configure script. > > okay. > > -- > Gustavo Sverzut Barbieri > http://profusion.mobi embedded systems > -------------------------------------- > MSN: barbieri-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > Skype: gsbarbieri > Mobile: +55 (19) 9225-2202 ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies 2012-02-15 17:12 ` Roberto Sassu @ 2012-02-20 17:14 ` Lennart Poettering 2012-02-20 18:36 ` Roberto Sassu 0 siblings, 1 reply; 17+ messages in thread From: Lennart Poettering @ 2012-02-20 17:14 UTC (permalink / raw) To: Roberto Sassu Cc: Gustavo Sverzut Barbieri, initramfs, systemd-devel, linux-ima-user, linux-security-module, zohar, harald, ramunno On Wed, 15.02.12 18:12, Roberto Sassu (roberto.sassu@polito.it) wrote: > The location of the policy file is not IMA dependent. I chose that > because it seemed to me the right place where to put this file. > So, i can easily modify the location to be distribution independent > but i don't known which directory would be appropriate. > Any proposal? /etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates. Lennart -- Lennart Poettering - Red Hat, Inc. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies 2012-02-20 17:14 ` Lennart Poettering @ 2012-02-20 18:36 ` Roberto Sassu [not found] ` <4F4292A4.2030402-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-02-20 18:36 UTC (permalink / raw) To: Lennart Poettering Cc: Gustavo Sverzut Barbieri, initramfs, systemd-devel, linux-ima-user, linux-security-module, zohar, harald, ramunno On 02/20/2012 06:14 PM, Lennart Poettering wrote: > On Wed, 15.02.12 18:12, Roberto Sassu (roberto.sassu@polito.it) wrote: > >> The location of the policy file is not IMA dependent. I chose that >> because it seemed to me the right place where to put this file. >> So, i can easily modify the location to be distribution independent >> but i don't known which directory would be appropriate. >> Any proposal? > > /etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates. > I prefer the first one, because the second pathname raises the problem of creating a new subdirectory. However, i think we should keep the word 'policy' in the file name to avoid users believe that is a configuration file. Once we define the new pathname, i will also create a patch for the IMA module in dracut to make sure things work also for distributions that do not have Systemd installed. Thanks Roberto Sassu > Lennart > ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <4F4292A4.2030402-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>]
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <4F4292A4.2030402-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> @ 2012-02-20 19:07 ` Lennart Poettering 2012-02-21 9:17 ` Roberto Sassu 0 siblings, 1 reply; 17+ messages in thread From: Lennart Poettering @ 2012-02-20 19:07 UTC (permalink / raw) To: Roberto Sassu Cc: Gustavo Sverzut Barbieri, initramfs-u79uwXL29TY76Z2rM5mHXA, systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On Mon, 20.02.12 19:36, Roberto Sassu (roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org) wrote: > > On 02/20/2012 06:14 PM, Lennart Poettering wrote: > >On Wed, 15.02.12 18:12, Roberto Sassu (roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org) wrote: > > > >>The location of the policy file is not IMA dependent. I chose that > >>because it seemed to me the right place where to put this file. > >>So, i can easily modify the location to be distribution independent > >>but i don't known which directory would be appropriate. > >>Any proposal? > > > >/etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates. > > > > I prefer the first one, because the second pathname raises the problem > of creating a new subdirectory. However, i think we should keep the > word 'policy' in the file name to avoid users believe that is a > configuration file. Creating a subdir is a problem? How so? You should use a subdir /etc/ima/ if there's the chance that sooner or later you might have to add another config file of some sorts to IMA. If you are really sure that never happens, then you don't need the dir, but if you are in doubt, better use one. (But this is the policy file, right? so i figure you might end up with adding a conf file with options like selinux' enforcing/permissive later on, so i think you should better add a dir) (Oh, and in contrast to what i suggested, if this is the policy file, and not a configuration file, the .conf suffix of course makes little sense) Lennart -- Lennart Poettering - Red Hat, Inc. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies 2012-02-20 19:07 ` Lennart Poettering @ 2012-02-21 9:17 ` Roberto Sassu 0 siblings, 0 replies; 17+ messages in thread From: Roberto Sassu @ 2012-02-21 9:17 UTC (permalink / raw) To: Lennart Poettering Cc: Gustavo Sverzut Barbieri, initramfs, systemd-devel, linux-ima-user, linux-security-module, zohar, harald, ramunno On 02/20/2012 08:07 PM, Lennart Poettering wrote: > On Mon, 20.02.12 19:36, Roberto Sassu (roberto.sassu@polito.it) wrote: > >> >> On 02/20/2012 06:14 PM, Lennart Poettering wrote: >>> On Wed, 15.02.12 18:12, Roberto Sassu (roberto.sassu@polito.it) wrote: >>> >>>> The location of the policy file is not IMA dependent. I chose that >>>> because it seemed to me the right place where to put this file. >>>> So, i can easily modify the location to be distribution independent >>>> but i don't known which directory would be appropriate. >>>> Any proposal? >>> >>> /etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates. >>> >> >> I prefer the first one, because the second pathname raises the problem >> of creating a new subdirectory. However, i think we should keep the >> word 'policy' in the file name to avoid users believe that is a >> configuration file. > > Creating a subdir is a problem? How so? > The problem i see is who creates the subdirectory. In the Systemd case, i think this should be accomplished in the Makefile or in the RPM script. Other boot solutions should implement something like that and they need to create the subdirectory as well. This because, as said above, there is no an IMA userspace package to perform the operation. However, if the creation is made by the boot software i think this should not be a problem. > You should use a subdir /etc/ima/ if there's the chance that sooner or > later you might have to add another config file of some sorts to IMA. If > you are really sure that never happens, then you don't need the dir, but > if you are in doubt, better use one. (But this is the policy file, > right? so i figure you might end up with adding a conf file with options > like selinux' enforcing/permissive later on, so i think you should > better add a dir) > Ok, probably is better to add a new subdirectory to support additional IMA configuration files. Maybe Mimi Zohar knows if there are plans to introduce new files. > (Oh, and in contrast to what i suggested, if this is the policy file, > and not a configuration file, the .conf suffix of course makes little sense) > So, finally i think we can agree to use '/etc/ima/ima-policy' as pathname for the IMA custom policy. Thanks Roberto Sassu > Lennart > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> 2012-02-15 16:55 ` [systemd-devel] " Gustavo Sverzut Barbieri @ 2012-02-20 17:13 ` Lennart Poettering 1 sibling, 0 replies; 17+ messages in thread From: Lennart Poettering @ 2012-02-20 17:13 UTC (permalink / raw) To: Roberto Sassu Cc: Gustavo Sverzut Barbieri, initramfs-u79uwXL29TY76Z2rM5mHXA, systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On Wed, 15.02.12 17:26, Roberto Sassu (roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org) wrote: > > On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote: > >On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote: > >>The new function ima_setup() loads an IMA custom policy from a file in the > >>default location '/etc/sysconfig/ima-policy', if present, and writes it to > > > >isn't /etc/sysconfig too specific to Fedora? > > > > Hi Gustavo > > probably yes. I see the code in 'src/locale-setup.c' where the > the configuration directory depends on the target distribution. > I can implement something like that in my patch. We will sooner or later drop the per-distro ifdeffery. Please don't even start it for new code. Given that IMA is still new, please make sure to adopt configuration fails that are the same across all distributions. > >Also, I certainly have no such things in my system and see no point in > >calling ima_setup() on it. Or even compiling the source file in such > >case. > > > > Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA' > statement, as it happens for SELinux. However an issue is that there > is no a specific package for IMA that can be checked to set the > HAVE_IMA > definition to yes. Instead, the code can be enabled for example by > adding the parameter '--enable_ima' in the configure script. Sounds good. Lennart -- Lennart Poettering - Red Hat, Inc. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> 2012-02-15 14:30 ` [systemd-devel] " Gustavo Sverzut Barbieri @ 2012-02-20 17:12 ` Lennart Poettering 2012-02-20 18:23 ` Roberto Sassu 1 sibling, 1 reply; 17+ messages in thread From: Lennart Poettering @ 2012-02-20 17:12 UTC (permalink / raw) To: Roberto Sassu Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, initramfs-u79uwXL29TY76Z2rM5mHXA, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On Wed, 15.02.12 14:23, Roberto Sassu (roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org) wrote: > The new function ima_setup() loads an IMA custom policy from a file in the > default location '/etc/sysconfig/ima-policy', if present, and writes it to > the path 'ima/policy' in the security filesystem. This function is executed > at early stage in order to avoid that some file operations are not measured > by IMA and it is placed after the initialization of SELinux because IMA > needs the latter (or other security modules) to understand LSM-specific > rules. This must be a configure option. I am pretty sure most embedded people don't require this feature. The kernel side of things is merged upstream I presume? (We generally only want to support stuff in our code that is merged upstream itself) > +#define IMA_SECFS_DIR SECURITYFS_MNTPOINT "/ima" > +#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy" Please use proper strings for this. (see my earlier mail) > +#define IMA_POLICY_PATH "/etc/sysconfig/ima-policy" This is a Fedoraism. Please introduce a proper configuration file for this. > + > +int ima_setup(void) { > + struct stat st; > + ssize_t policy_size = 0, written = 0; > + char *policy; > + int policyfd = -1, imafd = -1; > + int result = 0; > + > +#ifndef HAVE_SELINUX > + /* Mount the securityfs filesystem */ > + mount_setup_early(); > +#endif > + > + if (stat(IMA_POLICY_PATH, &st) == -1) > + return 0; We tend to do "< 0" instead of "== -1" checks for syscall failures. Might be good to use the same here, but this is not necessary for getting this merged. > + > + policyfd = open(IMA_POLICY_PATH, O_RDONLY); We tend to add O_CLOEXEC to all fds we open, just for being paranoid. Please do so here, too, to avoid surprise and avoid exceptions when people grep for all open() invocations looking for O_CLOEXEC. > + if (policyfd < 0) { > + log_error("Failed to open the IMA custom policy file %s (%s), " > + "ignoring.", IMA_POLICY_PATH, strerror(errno)); > + return 0; > + } Consider using %m instead of %s and strerror(errno). > + imafd = open(IMA_SECFS_POLICY, O_WRONLY); Also O_CLOEXEC please. > + if (imafd < 0) { > + log_error("Failed to open the IMA kernel interface %s (%s), " > + "ignoring.", IMA_SECFS_POLICY, strerror(errno)); > + goto out; > + } > + > + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); > + if (policy == NULL) { mmap() returns MAP_FAILED (i.e. (void) -1) on failure, not NULL. This check needs to be fixed. > + log_error("mmap() failed (%s), freezing", strerror(errno)); > + result = -errno; > + goto out; > + } > + > + while(written < policy_size) { > + ssize_t len = write(imafd, policy + written, > + policy_size - written); > + if (len <= 0) { > + log_error("Failed to load the IMA custom policy " > + "file %s (%s), ignoring.", IMA_POLICY_PATH, > + strerror(errno)); > + goto out_mmap; > + } > + written += len; > + } It might make sense to use loop_write() here instead, which does more or less this loop, and is defined in util.c anyway. Otherwise looks good. Lennart -- Lennart Poettering - Red Hat, Inc. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies 2012-02-20 17:12 ` Lennart Poettering @ 2012-02-20 18:23 ` Roberto Sassu [not found] ` <4F428FB0.3000200-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Roberto Sassu @ 2012-02-20 18:23 UTC (permalink / raw) To: Lennart Poettering Cc: systemd-devel, initramfs, linux-ima-user, linux-security-module, zohar, harald, ramunno On 02/20/2012 06:12 PM, Lennart Poettering wrote: > On Wed, 15.02.12 14:23, Roberto Sassu (roberto.sassu@polito.it) wrote: > >> The new function ima_setup() loads an IMA custom policy from a file in the >> default location '/etc/sysconfig/ima-policy', if present, and writes it to >> the path 'ima/policy' in the security filesystem. This function is executed >> at early stage in order to avoid that some file operations are not measured >> by IMA and it is placed after the initialization of SELinux because IMA >> needs the latter (or other security modules) to understand LSM-specific >> rules. > > This must be a configure option. I am pretty sure most embedded people > don't require this feature. > > The kernel side of things is merged upstream I presume? (We generally > only want to support stuff in our code that is merged upstream itself) > Yes. IMA was in the mainline kernel since 2.6.30. >> +#define IMA_SECFS_DIR SECURITYFS_MNTPOINT "/ima" >> +#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy" > > Please use proper strings for this. (see my earlier mail) > Ok, i will replace the former with the hard-coded pathname. >> +#define IMA_POLICY_PATH "/etc/sysconfig/ima-policy" > > This is a Fedoraism. Please introduce a proper configuration file for this. > Ok, i will answer about this in the next your email. >> + >> +int ima_setup(void) { >> + struct stat st; >> + ssize_t policy_size = 0, written = 0; >> + char *policy; >> + int policyfd = -1, imafd = -1; >> + int result = 0; >> + >> +#ifndef HAVE_SELINUX >> + /* Mount the securityfs filesystem */ >> + mount_setup_early(); >> +#endif >> + >> + if (stat(IMA_POLICY_PATH,&st) == -1) >> + return 0; > > We tend to do "< 0" instead of "== -1" checks for syscall > failures. Might be good to use the same here, but this is not necessary > for getting this merged. > Ok. >> + >> + policyfd = open(IMA_POLICY_PATH, O_RDONLY); > > We tend to add O_CLOEXEC to all fds we open, just for being > paranoid. Please do so here, too, to avoid surprise and avoid exceptions > when people grep for all open() invocations looking for O_CLOEXEC. > No problem, i will do the change. >> + if (policyfd< 0) { >> + log_error("Failed to open the IMA custom policy file %s (%s), " >> + "ignoring.", IMA_POLICY_PATH, strerror(errno)); >> + return 0; >> + } > > Consider using %m instead of %s and strerror(errno). > >> + imafd = open(IMA_SECFS_POLICY, O_WRONLY); > > Also O_CLOEXEC please. > >> + if (imafd< 0) { >> + log_error("Failed to open the IMA kernel interface %s (%s), " >> + "ignoring.", IMA_SECFS_POLICY, strerror(errno)); >> + goto out; >> + } >> + >> + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); >> + if (policy == NULL) { > > mmap() returns MAP_FAILED (i.e. (void) -1) on failure, not NULL. This > check needs to be fixed. > Ok, i will replace NULL with MAP_FAILED. >> + log_error("mmap() failed (%s), freezing", strerror(errno)); >> + result = -errno; >> + goto out; >> + } >> + >> + while(written< policy_size) { >> + ssize_t len = write(imafd, policy + written, >> + policy_size - written); >> + if (len<= 0) { >> + log_error("Failed to load the IMA custom policy " >> + "file %s (%s), ignoring.", IMA_POLICY_PATH, >> + strerror(errno)); >> + goto out_mmap; >> + } >> + written += len; >> + } > > It might make sense to use loop_write() here instead, which does more or > less this loop, and is defined in util.c anyway. > I briefly looked at the code and i'm not sure to use it, because i want to add some extra information in the output message (for example the line number of the rule in the policy file that was rejected by IMA). Thanks Roberto Sassu > Otherwise looks good. > > Lennart > ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <4F428FB0.3000200-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>]
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <4F428FB0.3000200-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> @ 2012-02-20 18:52 ` Lennart Poettering [not found] ` <20120220185236.GB360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Lennart Poettering @ 2012-02-20 18:52 UTC (permalink / raw) To: Roberto Sassu Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, initramfs-u79uwXL29TY76Z2rM5mHXA, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On Mon, 20.02.12 19:23, Roberto Sassu (roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org) wrote: > >>+ log_error("mmap() failed (%s), freezing", strerror(errno)); > >>+ result = -errno; > >>+ goto out; > >>+ } > >>+ > >>+ while(written< policy_size) { > >>+ ssize_t len = write(imafd, policy + written, > >>+ policy_size - written); > >>+ if (len<= 0) { > >>+ log_error("Failed to load the IMA custom policy " > >>+ "file %s (%s), ignoring.", IMA_POLICY_PATH, > >>+ strerror(errno)); > >>+ goto out_mmap; > >>+ } > >>+ written += len; > >>+ } > > > >It might make sense to use loop_write() here instead, which does more or > >less this loop, and is defined in util.c anyway. > > I briefly looked at the code and i'm not sure to use it, because i want > to add some extra information in the output message (for example the > line number of the rule in the policy file that was rejected by IMA). Line number? The policy is text? Your code above doesn't print any line numbers? Lennart -- Lennart Poettering - Red Hat, Inc. ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <20120220185236.GB360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>]
* Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies [not found] ` <20120220185236.GB360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org> @ 2012-02-20 19:11 ` Roberto Sassu 0 siblings, 0 replies; 17+ messages in thread From: Roberto Sassu @ 2012-02-20 19:11 UTC (permalink / raw) To: Lennart Poettering Cc: systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, initramfs-u79uwXL29TY76Z2rM5mHXA, linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, linux-security-module-u79uwXL29TY76Z2rM5mHXA, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8, harald-H+wXaHxf7aLQT0dZR+AlfA, ramunno-8RLafaVCWuNeoWH0uzbU5w On 02/20/2012 07:52 PM, Lennart Poettering wrote: > On Mon, 20.02.12 19:23, Roberto Sassu (roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org) wrote: > >>>> + log_error("mmap() failed (%s), freezing", strerror(errno)); >>>> + result = -errno; >>>> + goto out; >>>> + } >>>> + >>>> + while(written< policy_size) { >>>> + ssize_t len = write(imafd, policy + written, >>>> + policy_size - written); >>>> + if (len<= 0) { >>>> + log_error("Failed to load the IMA custom policy " >>>> + "file %s (%s), ignoring.", IMA_POLICY_PATH, >>>> + strerror(errno)); >>>> + goto out_mmap; >>>> + } >>>> + written += len; >>>> + } >>> >>> It might make sense to use loop_write() here instead, which does more or >>> less this loop, and is defined in util.c anyway. >> >> I briefly looked at the code and i'm not sure to use it, because i want >> to add some extra information in the output message (for example the >> line number of the rule in the policy file that was rejected by IMA). > > Line number? The policy is text? Your code above doesn't print any line > numbers? > Sorry, this is not done in the current patch. But i think it may be useful for a user to know what rule is being rejected by IMA. Yes, the policy is text. Thanks Roberto Sassu > Lennart > ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2012-03-05 18:11 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-22 14:52 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu
2012-02-22 14:52 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
[not found] ` <1329922381-13451-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-03-05 14:39 ` [systemd-devel] " Lennart Poettering
2012-03-05 16:15 ` Roberto Sassu
[not found] ` <4F54E688.2020306-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-03-05 18:11 ` [systemd-devel] " Mimi Zohar
-- strict thread matches above, loose matches on Subject: below --
2012-02-15 13:23 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu
2012-02-15 13:23 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
[not found] ` <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 14:30 ` [systemd-devel] " Gustavo Sverzut Barbieri
2012-02-15 16:26 ` Roberto Sassu
[not found] ` <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 16:55 ` [systemd-devel] " Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3C0xDeVBrbDxesPdEV+owf-q_wxUHTmr4YDCHw=NgPV1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-15 17:12 ` Roberto Sassu
2012-02-20 17:14 ` Lennart Poettering
2012-02-20 18:36 ` Roberto Sassu
[not found] ` <4F4292A4.2030402-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 19:07 ` Lennart Poettering
2012-02-21 9:17 ` Roberto Sassu
2012-02-20 17:13 ` Lennart Poettering
2012-02-20 17:12 ` Lennart Poettering
2012-02-20 18:23 ` Roberto Sassu
[not found] ` <4F428FB0.3000200-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 18:52 ` Lennart Poettering
[not found] ` <20120220185236.GB360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 19:11 ` Roberto Sassu
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.