From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huawei.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com,
stable@vger.kernel.org
Subject: Re: [PATCH] ima: Fix return value of ima_write_policy()
Date: Wed, 22 Apr 2020 22:34:26 -0400 [thread overview]
Message-ID: <1587609266.5165.58.camel@linux.ibm.com> (raw)
In-Reply-To: <20200421090442.22693-1-roberto.sassu@huawei.com>
On Tue, 2020-04-21 at 11:04 +0200, Roberto Sassu wrote:
> Return datalen instead of zero if there is a rule to appraise the policy
> but that rule is not enforced.
>
> Cc: stable@vger.kernel.org
> Fixes: 19f8a84713edc ("ima: measure and appraise the IMA policy itself")
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
> security/integrity/ima/ima_fs.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index a71e822a6e92..2c2ea814b954 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -340,6 +340,8 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
> 1, 0);
> if (ima_appraise & IMA_APPRAISE_ENFORCE)
> result = -EACCES;
> + else
> + result = datalen;
In all other cases, where the IMA_APPRAISE_ENFORCE is not enabled we
allow the action. Here we prevent loading the policy, but don't
return an error. One option, as you did, is return some indication
that the policy was not loaded. Another option would be to allow
loading the policy in LOG or FIX mode, but I don't think that would be
productive. Perhaps differentiate between the LOG and FIX modes from
the OFF mode. For the LOG and FIX modes, perhaps return -EACCES as
well. For the OFF case, loading a policy with appraise rules should
not be permitted.
Mimi
> } else {
> result = ima_parse_add_rule(data);
> }
next prev parent reply other threads:[~2020-04-23 2:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-21 9:04 [PATCH] ima: Fix return value of ima_write_policy() Roberto Sassu
2020-04-23 2:34 ` Mimi Zohar [this message]
2020-04-23 9:39 ` Roberto Sassu
2020-04-23 19:10 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1587609266.5165.58.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).