From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>
Cc: Matthew Garrett <mjg59@google.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
James Morris <jmorris@namei.org>,
linux-fsdevel@vger.kernel.org,
linux-ima-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org
Subject: [PATCH v6 6/6] ima: define "fs_unsafe" builtin policy
Date: Tue, 15 Aug 2017 10:43:57 -0400 [thread overview]
Message-ID: <1502808237-2035-7-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1502808237-2035-1-git-send-email-zohar@linux.vnet.ibm.com>
Permit normally denied access/execute permission for files in policy
on IMA unsupported filesystems. This patch defines "fs_unsafe", a
builtin policy.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
Changelog v3:
- include dont_failsafe rule when displaying policy
Documentation/admin-guide/kernel-parameters.txt | 8 +++++++-
security/integrity/ima/ima_policy.c | 12 ++++++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index d9c171ce4190..4e303be83df6 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1502,7 +1502,7 @@
ima_policy= [IMA]
The builtin policies to load during IMA setup.
- Format: "tcb | appraise_tcb | secure_boot"
+ Format: "tcb | appraise_tcb | secure_boot | fs_unsafe"
The "tcb" policy measures all programs exec'd, files
mmap'd for exec, and all files opened with the read
@@ -1517,6 +1517,12 @@
of files (eg. kexec kernel image, kernel modules,
firmware, policy, etc) based on file signatures.
+ The "fs_unsafe" policy permits normally denied
+ access/execute permission for files in policy on IMA
+ unsupported filesystems. Note this option, as the
+ name implies, is not safe and not recommended for
+ any environments other than testing.
+
ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted
Computing Base. This means IMA will measure all
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 43b85a4fb8e8..cddd9dfb01e1 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -169,6 +169,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
};
+static struct ima_rule_entry dont_failsafe_rules[] __ro_after_init = {
+ {.action = DONT_FAILSAFE}
+};
+
static LIST_HEAD(ima_default_rules);
static LIST_HEAD(ima_policy_rules);
static LIST_HEAD(ima_temp_rules);
@@ -188,6 +192,7 @@ __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata;
static bool ima_use_secure_boot __initdata;
+static bool ima_use_dont_failsafe __initdata;
static int __init policy_setup(char *str)
{
char *p;
@@ -201,6 +206,10 @@ static int __init policy_setup(char *str)
ima_use_appraise_tcb = 1;
else if (strcmp(p, "secure_boot") == 0)
ima_use_secure_boot = 1;
+ else if (strcmp(p, "fs_unsafe") == 0) {
+ ima_use_dont_failsafe = 1;
+ set_failsafe(0);
+ }
}
return 1;
@@ -470,6 +479,9 @@ void __init ima_init_policy(void)
temp_ima_appraise |= IMA_APPRAISE_POLICY;
}
+ if (ima_use_dont_failsafe)
+ list_add_tail(&dont_failsafe_rules[0].list, &ima_default_rules);
+
ima_rules = &ima_default_rules;
ima_update_policy_flag();
}
--
2.7.4
next prev parent reply other threads:[~2017-08-15 14:44 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 14:43 [PATCH v6 0/6] define new fs integrity_read method Mimi Zohar
2017-08-15 14:43 ` [PATCH v6 1/6] libfs: define simple_read_iter_from_buffer Mimi Zohar
2017-08-16 6:35 ` Christoph Hellwig
2017-08-16 17:43 ` Mimi Zohar
2017-08-17 2:42 ` James Morris
2017-08-17 11:00 ` Mimi Zohar
2017-08-22 10:04 ` Dmitry Kasatkin
2017-08-15 14:43 ` [PATCH v6 2/6] efivarfs: replaces the read file operation with read_iter Mimi Zohar
2017-08-16 6:35 ` Christoph Hellwig
2017-08-15 14:43 ` [PATCH v6 3/6] ima: always measure and audit files in policy Mimi Zohar
2017-08-22 10:05 ` Dmitry Kasatkin
2017-08-22 12:54 ` Mimi Zohar
2017-08-15 14:43 ` [PATCH v6 4/6] ima: use fs method to read integrity data Mimi Zohar
2017-08-16 13:17 ` Jan Kara
2017-08-16 17:43 ` Mimi Zohar
2017-08-22 10:09 ` Dmitry Kasatkin
2017-08-28 4:13 ` Al Viro
2017-08-28 18:30 ` Mimi Zohar
2017-08-15 14:43 ` [PATCH v6 5/6] ima: define "dont_failsafe" policy action rule Mimi Zohar
2017-08-22 10:07 ` Dmitry Kasatkin
2017-08-22 12:54 ` Mimi Zohar
2017-08-22 13:31 ` Dmitry Kasatkin
2017-08-15 14:43 ` Mimi Zohar [this message]
2017-08-22 10:07 ` [PATCH v6 6/6] ima: define "fs_unsafe" builtin policy Dmitry Kasatkin
2017-08-22 13:13 ` Mimi Zohar
2017-08-22 13:41 ` Dmitry Kasatkin
2017-08-16 2:43 ` [PATCH v6 0/6] define new fs integrity_read method James Morris
2017-08-16 6:34 ` Christoph Hellwig
2017-08-16 9:52 ` James Morris
2017-08-16 11:05 ` Mimi Zohar
2017-08-28 4:18 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1502808237-2035-7-git-send-email-zohar@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=hch@lst.de \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).