From: Roberto Sassu <roberto.sassu@polito.it>
To: Lennart Poettering <lennart@poettering.net>
Cc: systemd-devel@lists.freedesktop.org, initramfs@vger.kernel.org,
linux-ima-user@lists.sourceforge.net,
linux-security-module@vger.kernel.org, zohar@linux.vnet.ibm.com,
harald@redhat.com, ramunno@polito.it
Subject: Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies
Date: Mon, 20 Feb 2012 19:23:44 +0100 [thread overview]
Message-ID: <4F428FB0.3000200@polito.it> (raw)
In-Reply-To: <20120220171229.GB26356@tango.0pointer.de>
On 02/20/2012 06:12 PM, Lennart Poettering wrote:
> On Wed, 15.02.12 14:23, Roberto Sassu (roberto.sassu@polito.it) wrote:
>
>> The new function ima_setup() loads an IMA custom policy from a file in the
>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
>> the path 'ima/policy' in the security filesystem. This function is executed
>> at early stage in order to avoid that some file operations are not measured
>> by IMA and it is placed after the initialization of SELinux because IMA
>> needs the latter (or other security modules) to understand LSM-specific
>> rules.
>
> This must be a configure option. I am pretty sure most embedded people
> don't require this feature.
>
> The kernel side of things is merged upstream I presume? (We generally
> only want to support stuff in our code that is merged upstream itself)
>
Yes. IMA was in the mainline kernel since 2.6.30.
>> +#define IMA_SECFS_DIR SECURITYFS_MNTPOINT "/ima"
>> +#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
>
> Please use proper strings for this. (see my earlier mail)
>
Ok, i will replace the former with the hard-coded pathname.
>> +#define IMA_POLICY_PATH "/etc/sysconfig/ima-policy"
>
> This is a Fedoraism. Please introduce a proper configuration file for this.
>
Ok, i will answer about this in the next your email.
>> +
>> +int ima_setup(void) {
>> + struct stat st;
>> + ssize_t policy_size = 0, written = 0;
>> + char *policy;
>> + int policyfd = -1, imafd = -1;
>> + int result = 0;
>> +
>> +#ifndef HAVE_SELINUX
>> + /* Mount the securityfs filesystem */
>> + mount_setup_early();
>> +#endif
>> +
>> + if (stat(IMA_POLICY_PATH,&st) == -1)
>> + return 0;
>
> We tend to do "< 0" instead of "== -1" checks for syscall
> failures. Might be good to use the same here, but this is not necessary
> for getting this merged.
>
Ok.
>> +
>> + policyfd = open(IMA_POLICY_PATH, O_RDONLY);
>
> We tend to add O_CLOEXEC to all fds we open, just for being
> paranoid. Please do so here, too, to avoid surprise and avoid exceptions
> when people grep for all open() invocations looking for O_CLOEXEC.
>
No problem, i will do the change.
>> + if (policyfd< 0) {
>> + log_error("Failed to open the IMA custom policy file %s (%s), "
>> + "ignoring.", IMA_POLICY_PATH, strerror(errno));
>> + return 0;
>> + }
>
> Consider using %m instead of %s and strerror(errno).
>
>> + imafd = open(IMA_SECFS_POLICY, O_WRONLY);
>
> Also O_CLOEXEC please.
>
>> + if (imafd< 0) {
>> + log_error("Failed to open the IMA kernel interface %s (%s), "
>> + "ignoring.", IMA_SECFS_POLICY, strerror(errno));
>> + goto out;
>> + }
>> +
>> + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
>> + if (policy == NULL) {
>
> mmap() returns MAP_FAILED (i.e. (void) -1) on failure, not NULL. This
> check needs to be fixed.
>
Ok, i will replace NULL with MAP_FAILED.
>> + log_error("mmap() failed (%s), freezing", strerror(errno));
>> + result = -errno;
>> + goto out;
>> + }
>> +
>> + while(written< policy_size) {
>> + ssize_t len = write(imafd, policy + written,
>> + policy_size - written);
>> + if (len<= 0) {
>> + log_error("Failed to load the IMA custom policy "
>> + "file %s (%s), ignoring.", IMA_POLICY_PATH,
>> + strerror(errno));
>> + goto out_mmap;
>> + }
>> + written += len;
>> + }
>
> It might make sense to use loop_write() here instead, which does more or
> less this loop, and is defined in util.c anyway.
>
I briefly looked at the code and i'm not sure to use it, because i want
to add some extra information in the output message (for example the
line number of the rule in the policy file that was rejected by IMA).
Thanks
Roberto Sassu
> Otherwise looks good.
>
> Lennart
>
next prev parent reply other threads:[~2012-02-20 18:23 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-15 13:23 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu
2012-02-15 13:23 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
[not found] ` <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 14:30 ` [systemd-devel] " Gustavo Sverzut Barbieri
2012-02-15 16:26 ` Roberto Sassu
[not found] ` <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 16:55 ` [systemd-devel] " Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3C0xDeVBrbDxesPdEV+owf-q_wxUHTmr4YDCHw=NgPV1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-15 17:12 ` Roberto Sassu
[not found] ` <4F3BE763.9060704-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-16 4:56 ` [Linux-ima-user] " Michael Cassaniti
2012-02-16 13:19 ` Mimi Zohar
2012-02-16 13:38 ` Roberto Sassu
2012-02-16 14:30 ` Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3AAwJ6s-fOgTCV4h4OCKCw3RhEav56LJaUXWVpuf4Jowg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-16 14:35 ` Roberto Sassu
2012-02-16 21:50 ` Gustavo Sverzut Barbieri
2012-02-20 17:24 ` [Linux-ima-user] " Lennart Poettering
2012-02-20 19:06 ` [systemd-devel] " Roberto Sassu
2012-02-20 19:18 ` Lennart Poettering
[not found] ` <20120220191804.GD360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-21 10:05 ` Roberto Sassu
[not found] ` <4F436C7A.9020206-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 13:01 ` [Linux-ima-user] [systemd-devel] " Mimi Zohar
2012-02-21 13:58 ` Roberto Sassu
2012-02-21 16:15 ` Mimi Zohar
2012-02-21 17:32 ` Roberto Sassu
[not found] ` <4F43D532.7070006-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 17:54 ` Mimi Zohar
2012-02-21 17:56 ` Kay Sievers
[not found] ` <CAPXgP10zCVgj4gDTzkJ1+XqKSHhjrCHwkUazJ8caaeMF2j+mMg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-21 18:07 ` Roberto Sassu
[not found] ` <4F43DD49.2040202-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 19:06 ` Kay Sievers
2012-02-21 14:07 ` [systemd-devel] [Linux-ima-user] " Colin Guthrie
2012-02-21 14:32 ` Kay Sievers
[not found] ` <CAPXgP13c1B80u14E4FrhZEJ89NDvDP--ciWikz0j+m4En6zPRQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-21 16:14 ` Mimi Zohar
2012-02-21 18:25 ` Roberto Sassu
2012-02-21 12:25 ` [Linux-ima-user] [systemd-devel] " Mimi Zohar
2012-02-20 17:21 ` [systemd-devel] [Linux-ima-user] " Lennart Poettering
[not found] ` <4F3C8C6F.4010708-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-02-20 17:18 ` Lennart Poettering
2012-02-20 17:14 ` [systemd-devel] " Lennart Poettering
2012-02-20 18:36 ` Roberto Sassu
[not found] ` <4F4292A4.2030402-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 19:07 ` Lennart Poettering
2012-02-21 9:17 ` Roberto Sassu
2012-02-20 17:13 ` Lennart Poettering
2012-02-20 17:12 ` Lennart Poettering
2012-02-20 18:23 ` Roberto Sassu [this message]
[not found] ` <4F428FB0.3000200-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 18:52 ` Lennart Poettering
[not found] ` <20120220185236.GB360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 19:11 ` Roberto Sassu
[not found] ` <1329312229-11856-1-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 17:04 ` [systemd-devel] [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Lennart Poettering
[not found] ` <20120220170436.GA26356-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 18:02 ` Roberto Sassu
-- strict thread matches above, loose matches on Subject: below --
2012-02-22 14:52 Roberto Sassu
2012-02-22 14:52 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
[not found] ` <1329922381-13451-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-03-05 14:39 ` [systemd-devel] " Lennart Poettering
2012-03-05 16:15 ` Roberto Sassu
[not found] ` <4F54E688.2020306-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-03-05 18:11 ` [systemd-devel] " Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F428FB0.3000200@polito.it \
--to=roberto.sassu@polito.it \
--cc=harald@redhat.com \
--cc=initramfs@vger.kernel.org \
--cc=lennart@poettering.net \
--cc=linux-ima-user@lists.sourceforge.net \
--cc=linux-security-module@vger.kernel.org \
--cc=ramunno@polito.it \
--cc=systemd-devel@lists.freedesktop.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox