Re: [PATCH 2/2] main: added support for loading IMA custom policies

mkinitrd unification across distributions
 help / color / mirror / Atom feed

From: Roberto Sassu <roberto.sassu@polito.it>
To: Lennart Poettering <lennart@poettering.net>
Cc: initramfs@vger.kernel.org, systemd-devel@lists.freedesktop.org,
	linux-ima-user@lists.sourceforge.net,
	linux-security-module@vger.kernel.org, zohar@linux.vnet.ibm.com,
	harald@redhat.com, ramunno@polito.it
Subject: Re: [PATCH 2/2] main: added support for loading IMA custom policies
Date: Mon, 05 Mar 2012 17:15:04 +0100	[thread overview]
Message-ID: <4F54E688.2020306@polito.it> (raw)
In-Reply-To: <20120305143950.GV10929@tango.0pointer.de>

On 03/05/2012 03:39 PM, Lennart Poettering wrote:
> On Wed, 22.02.12 15:52, Roberto Sassu (roberto.sassu@polito.it) wrote:
>
> Heya,
>
>> +       policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
>> +       if (policy == MAP_FAILED) {
>> +               log_error("mmap() failed (%m), freezing");
>> +               result = -errno;
>> +               goto out;
>> +       }
>> +
>> +       while(written<  policy_size) {
>> +               ssize_t len = write(imafd, policy + written,
>> +                                   policy_size - written);
>> +               if (len<= 0) {
>> +                         if (errno == EINVAL)
>> +                                   log_error("Invalid line #%d in the IMA custom policy file %s",
>> +                                             policy_line_number, IMA_POLICY_PATH);
>> +
>> +                         log_error("Failed to load the IMA custom policy "
>> +                                   "file %s (%m), ignoring.", IMA_POLICY_PATH);
>> +                         goto out_mmap;
>> +               }
>> +               written += len;
>> +               policy_line_number++;
>
> I don't understand the counting here of policy_line_number? You attempt
> to write the whole policy at once, no? How does this counting of line
> numbers work here then? Or does the write() call on the kernel file
> actually only accept one line at a time? If that's the case is it really
> a good idea to rely on that behaviour? Knowing how these things go
> eventually things might get optimized to read more than one line at once
> and then the counting here will be off. Maybe it makes sense to drop the
> counting entirely here?
>

Hi Lennart

yes, the kernel interface accepts only one line at time. I implemented
this code because it is not possible to known from the kernel logs what
is the invalid line if the policy contains several lines. Indeed, IMA
sends an audit message for each parsed rule, so that some are dropped
due to the rate limit of audit.

I agree that is not a good idea writing a code that depends on the
specific implementation of how the policy loading is handled. So, a
solution may be to drop the counting code here and to solve the issue
by allowing IMA to send an audit message only when an invalid rule is
encountered.

Mimi, do you agree with that?

Thanks

Roberto Sassu


> (Something else thing that gets me thinking: by mmap()ing the source
> file you imply that the policy can never grow beyond 2G or so. I presume
> that's not a problem, right?)
>
> Otherwise looks good.
>
> Lennart
>

next prev parent reply	other threads:[~2012-03-05 16:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-22 14:52 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu
2012-02-22 14:52 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
     [not found]   ` <1329922381-13451-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-03-05 14:39     ` [systemd-devel] " Lennart Poettering
2012-03-05 16:15       ` Roberto Sassu [this message]
     [not found]         ` <4F54E688.2020306-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-03-05 18:11           ` Mimi Zohar
  -- strict thread matches above, loose matches on Subject: below --
2012-02-15 13:23 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu
2012-02-15 13:23 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
2012-02-15 14:30   ` [systemd-devel] " Gustavo Sverzut Barbieri
2012-02-15 16:26     ` Roberto Sassu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F54E688.2020306@polito.it \
    --to=roberto.sassu@polito.it \
    --cc=harald@redhat.com \
    --cc=initramfs@vger.kernel.org \
    --cc=lennart@poettering.net \
    --cc=linux-ima-user@lists.sourceforge.net \
    --cc=linux-security-module@vger.kernel.org \
    --cc=ramunno@polito.it \
    --cc=systemd-devel@lists.freedesktop.org \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox