* [PATCH] 98integrity: support validating the IMA policy file signature
@ 2016-10-13 19:51 Stefan Berger
[not found] ` <1476388264-23649-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Berger @ 2016-10-13 19:51 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Stefan Berger, Stefan Berger, Mimi Zohar
From: Stefan Berger <stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
IMA validates file signatures based on the security.ima xattr. As of
Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,
the IMA policy pathname can be written, allowing the IMA policy file
signature to be validated.
This patch first attempts to write the pathname, but on failure falls
back to cat'ing the IMA policy contents .
Signed-off-by: Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Signed-off-by: Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
---
modules.d/98integrity/ima-policy-load.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh
index 0061cff..5460d02 100755
--- a/modules.d/98integrity/ima-policy-load.sh
+++ b/modules.d/98integrity/ima-policy-load.sh
@@ -30,7 +30,8 @@ load_ima_policy()
# check the existence of the IMA policy file
[ -f "${IMAPOLICYPATH}" ] && {
info "Loading the provided IMA custom policy";
- cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
+ echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \
+ cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
}
return 0
--
2.7.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] 98integrity: support validating the IMA policy file signature
[not found] ` <1476388264-23649-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
@ 2016-10-13 20:05 ` Dracut GitHub Import Bot
0 siblings, 0 replies; 4+ messages in thread
From: Dracut GitHub Import Bot @ 2016-10-13 20:05 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
Patchset imported to github.
Pull request:
<https://github.com/haraldh/dracut/compare/master...dracut-mailing-devs:1476388264-23649-1-git-send-email-stefanb%40linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] 98integrity: support validating the IMA policy file signature
@ 2016-10-13 20:49 Stefan Berger
[not found] ` <1476391783-27231-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Berger @ 2016-10-13 20:49 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
Cc: harald-H+wXaHxf7aLQT0dZR+AlfA, Stefan Berger, Stefan Berger,
Mimi Zohar
From: Stefan Berger <stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
IMA validates file signatures based on the security.ima xattr. As of
Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,
the IMA policy pathname can be written, allowing the IMA policy file
signature to be validated.
This patch first attempts to write the pathname, but on failure falls
back to cat'ing the IMA policy contents .
Signed-off-by: Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Signed-off-by: Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
---
modules.d/98integrity/ima-policy-load.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh
index 0061cff..5460d02 100755
--- a/modules.d/98integrity/ima-policy-load.sh
+++ b/modules.d/98integrity/ima-policy-load.sh
@@ -30,7 +30,8 @@ load_ima_policy()
# check the existence of the IMA policy file
[ -f "${IMAPOLICYPATH}" ] && {
info "Loading the provided IMA custom policy";
- cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
+ echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \
+ cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
}
return 0
--
2.7.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] 98integrity: support validating the IMA policy file signature
[not found] ` <1476391783-27231-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
@ 2016-10-13 21:02 ` Dracut GitHub Import Bot
0 siblings, 0 replies; 4+ messages in thread
From: Dracut GitHub Import Bot @ 2016-10-13 21:02 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
Patchset imported to github.
Pull request:
<https://github.com/haraldh/dracut/compare/master...dracut-mailing-devs:1476391783-27231-1-git-send-email-stefanb%40linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-10-13 21:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-13 19:51 [PATCH] 98integrity: support validating the IMA policy file signature Stefan Berger
[not found] ` <1476388264-23649-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-10-13 20:05 ` Dracut GitHub Import Bot
-- strict thread matches above, loose matches on Subject: below --
2016-10-13 20:49 Stefan Berger
[not found] ` <1476391783-27231-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-10-13 21:02 ` Dracut GitHub Import Bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox