Re: [Linux-ima-devel] [PATCH v4 4/5] ima: define "fs_unsafe" builtin policy

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
	linux-fsdevel@vger.kernel.org,
	linux-ima-devel <linux-ima-devel@lists.sourceforge.net>,
	linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [Linux-ima-devel] [PATCH v4 4/5] ima: define "fs_unsafe" builtin policy
Date: Tue, 22 Aug 2017 12:36:54 +0300	[thread overview]
Message-ID: <CACE9dm86O8TCHG19k5rw9W-SmfLmvRJCZ0VPwqRrFZNx9CTX+g@mail.gmail.com> (raw)
In-Reply-To: <1501075375-29469-5-git-send-email-zohar@linux.vnet.ibm.com>

Looks good to me.

On Wed, Jul 26, 2017 at 4:22 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> Permit normally denied access/execute permission for files in policy
> on IMA unsupported filesystems.  This patch defines "fs_unsafe", a
> builtin policy.
>
> Mimi Zohar <zohar@linux.vnet.ibm.com>
>
> ---
> Changelog v3:
> - include dont_failsafe rule when displaying policy
>
>  Documentation/admin-guide/kernel-parameters.txt |  8 +++++++-
>  security/integrity/ima/ima_policy.c             | 12 ++++++++++++
>  2 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index d9c171ce4190..4e303be83df6 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1502,7 +1502,7 @@
>
>         ima_policy=     [IMA]
>                         The builtin policies to load during IMA setup.
> -                       Format: "tcb | appraise_tcb | secure_boot"
> +                       Format: "tcb | appraise_tcb | secure_boot | fs_unsafe"
>
>                         The "tcb" policy measures all programs exec'd, files
>                         mmap'd for exec, and all files opened with the read
> @@ -1517,6 +1517,12 @@
>                         of files (eg. kexec kernel image, kernel modules,
>                         firmware, policy, etc) based on file signatures.
>
> +                       The "fs_unsafe" policy permits normally denied
> +                       access/execute permission for files in policy on IMA
> +                       unsupported filesystems.  Note this option, as the
> +                       name implies, is not safe and not recommended for
> +                       any environments other than testing.
> +
>         ima_tcb         [IMA] Deprecated.  Use ima_policy= instead.
>                         Load a policy which meets the needs of the Trusted
>                         Computing Base.  This means IMA will measure all
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 43b85a4fb8e8..cddd9dfb01e1 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -169,6 +169,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
>          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
>  };
>
> +static struct ima_rule_entry dont_failsafe_rules[] __ro_after_init = {
> +       {.action = DONT_FAILSAFE}
> +};
> +
>  static LIST_HEAD(ima_default_rules);
>  static LIST_HEAD(ima_policy_rules);
>  static LIST_HEAD(ima_temp_rules);
> @@ -188,6 +192,7 @@ __setup("ima_tcb", default_measure_policy_setup);
>
>  static bool ima_use_appraise_tcb __initdata;
>  static bool ima_use_secure_boot __initdata;
> +static bool ima_use_dont_failsafe __initdata;
>  static int __init policy_setup(char *str)
>  {
>         char *p;
> @@ -201,6 +206,10 @@ static int __init policy_setup(char *str)
>                         ima_use_appraise_tcb = 1;
>                 else if (strcmp(p, "secure_boot") == 0)
>                         ima_use_secure_boot = 1;
> +               else if (strcmp(p, "fs_unsafe") == 0) {
> +                       ima_use_dont_failsafe = 1;
> +                       set_failsafe(0);
> +               }
>         }
>
>         return 1;
> @@ -470,6 +479,9 @@ void __init ima_init_policy(void)
>                         temp_ima_appraise |= IMA_APPRAISE_POLICY;
>         }
>
> +       if (ima_use_dont_failsafe)
> +               list_add_tail(&dont_failsafe_rules[0].list, &ima_default_rules);
> +
>         ima_rules = &ima_default_rules;
>         ima_update_policy_flag();
>  }
> --
> 2.7.4
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-ima-devel mailing list
> Linux-ima-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-ima-devel



-- 
Thanks,
Dmitry

next prev parent reply	other threads:[~2017-08-22  9:36 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-26 13:22 [PATCH v4 0/5] define new fs integrity_read method Mimi Zohar
2017-07-26 13:22 ` [PATCH v4 1/5] ima: always measure and audit files in policy Mimi Zohar
2017-08-22  9:24   ` [Linux-ima-devel] " Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 2/5] ima: use fs method to read integrity data Mimi Zohar
2017-07-31  7:01   ` Jan Kara
2017-07-31 19:08     ` Mimi Zohar
2017-08-01 10:42       ` Jan Kara
2017-08-01 15:38         ` Mimi Zohar
2017-08-01 20:24   ` [PATCH v4 2/5] ima: use fs method to read integrity data [updated] Mimi Zohar
2017-08-02  8:01     ` Jan Kara
2017-08-02 17:11       ` Mimi Zohar
2017-08-03 10:56         ` Jan Kara
2017-08-04 21:07           ` Mimi Zohar
2017-08-07 10:04             ` Jan Kara
2017-08-07 20:12               ` Mimi Zohar
2017-08-08 11:17                 ` Jan Kara
2017-08-22  9:59   ` [PATCH v4 2/5] ima: use fs method to read integrity data Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule Mimi Zohar
2017-08-22  9:34   ` [Linux-ima-devel] " Dmitry Kasatkin
2017-08-22  9:39     ` Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 4/5] ima: define "fs_unsafe" builtin policy Mimi Zohar
2017-08-22  9:36   ` Dmitry Kasatkin [this message]
2017-07-26 13:22 ` [PATCH v4 5/5] ima: remove permit_directio policy option Mimi Zohar
2017-08-22  9:27   ` [Linux-ima-devel] " Dmitry Kasatkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACE9dm86O8TCHG19k5rw9W-SmfLmvRJCZ0VPwqRrFZNx9CTX+g@mail.gmail.com \
    --to=dmitry.kasatkin@gmail.com \
    --cc=hch@lst.de \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-ima-devel@lists.sourceforge.net \
    --cc=linux-security-module@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).