Linux Integrity Measurement development
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Enrico Bravi <enrico.bravi@polito.it>,
	linux-integrity@vger.kernel.org, dmitry.kasatkin@gmail.com,
	roberto.sassu@huawei.com
Cc: eric.snowberg@oracle.com
Subject: Re: [RFC][PATCH v2 2/2] ima: measure buffer sent to securityfs policy file
Date: Mon, 22 Dec 2025 09:01:15 -0500	[thread overview]
Message-ID: <1878eed2d61b7fe3879c6d911ae709ef08089f16.camel@linux.ibm.com> (raw)
In-Reply-To: <20251216165620.683529-3-enrico.bravi@polito.it>

Hi Enrico,

On Tue, 2025-12-16 at 17:56 +0100, Enrico Bravi wrote:
> When signed a policy is not mandatory, it is possile to write the IMA
> policy directly on the corresponding securityfs file:
> 
> echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
>         "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
>      > /sys/kernel/security/ima/policy
> 
> Add input buffer measurement that can be caught when 'measure
> func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb).
> 
> Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
> ---
>  security/integrity/ima/ima.h      |  1 +
>  security/integrity/ima/ima_fs.c   |  1 +
>  security/integrity/ima/ima_main.c | 38 +++++++++++++++++++++++++++++++
>  3 files changed, 40 insertions(+)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index ca7b96663623..3b00c298355b 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -426,6 +426,7 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
>  void ima_policy_stop(struct seq_file *m, void *v);
>  int ima_policy_show(struct seq_file *m, void *v);
>  void ima_measure_loaded_policy(void);
> +int ima_measure_policy_write(char *buf, size_t size);
>  
>  /* Appraise integrity measurements */
>  #define IMA_APPRAISE_ENFORCE	0x01
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 89946d803d44..f1a5edd060ad 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -362,6 +362,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>  				    1, 0);
>  		result = -EACCES;
>  	} else {
> +		ima_measure_policy_write(data, datalen);
>  		result = ima_parse_add_rule(data);
>  	}
>  	mutex_unlock(&ima_write_mutex);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index cdd225f65a62..6a8ad4714881 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -28,6 +28,7 @@
>  #include <linux/iversion.h>
>  #include <linux/evm.h>
>  #include <linux/crash_dump.h>
> +#include <linux/shmem_fs.h>
>  
>  #include "ima.h"
>  
> @@ -986,6 +987,43 @@ static int ima_post_load_data(char *buf, loff_t size,
>  	return 0;
>  }
>  
> +/**
> + * ima_measure_policy_write - Measure the policy write buffer
> + * @buf: pointer to the buffer containing the policy write data
> + * @size: size of the buffer
> + *
> + * Measure the buffer sent to the IMA policy securityfs file.
> + *
> + * Return 0 on success, a negative value otherwise.
> + */
> +int ima_measure_policy_write(char *buf, size_t size0
> +{
> +	static const char op[] = "measure_ima_policy_write";
> +	const char *file_name = "ima_write_policy_buffer";
> +	static char *audit_cause = "ENOMEM";
> +	struct file *policy_file = NULL;
> +	struct lsm_prop prop;
> +	int ret = 0;
> +
> +	policy_file = shmem_kernel_file_setup(file_name, 0, 0);
> +	if (IS_ERR(policy_file)) {
> +		ret = PTR_ERR(policy_file);
> +		audit_cause = "alloc_file";
> +		integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, "ima_policy_write",
> +				    op, audit_cause, ret, 1);
> +		goto out;
> +	}
> +
> +	security_current_getlsmprop_subj(&prop);
> +
> +	ret = process_measurement(policy_file, current_cred(), &prop, buf, size,
> +				  MAY_READ, POLICY_CHECK);

The purpose of this patch is to measure IMA policy rules as they're written to
the <securityfs> IMA policy file, based on the IMA "measure func=POLICY_CHECK"
policy rule.

Like critical data, it should be calling process_buffer_measurement(), not
process_measurement().

The functions ima_match_rules() and ima_match_rule_data() need to be updated to
support POLICY_CHECK.

This function naming is off and should be renamed to ima_measure_policy_buf().

Please update the patch description accordingly.

Mimi

> +	fput(policy_file);
> +
> +out:
> +	return ret;
> +}
> +
>  /**
>   * process_buffer_measurement - Measure the buffer or the buffer data hash
>   * @idmap: idmap of the mount the inode was found from


  reply	other threads:[~2025-12-22 14:01 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-25 13:12 [RFC][PATCH] ima: add measurement for first unverified write on ima policy file Enrico Bravi
2025-02-26  1:53 ` Mimi Zohar
2025-02-26 22:53   ` Enrico  Bravi
2025-02-27  3:05     ` Mimi Zohar
2025-02-27 11:36       ` Enrico  Bravi
2025-02-27 14:49         ` Roberto Sassu
2025-03-03 10:26           ` Enrico  Bravi
2025-03-05  8:59             ` Roberto Sassu
2025-03-06  8:20               ` Enrico  Bravi
2025-03-06  8:47                 ` Roberto Sassu
2025-03-06 14:22                   ` Enrico  Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 0/2] ima: measure write on securityfs " Enrico Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 1/2] ima: measure loaded policy after " Enrico Bravi
2025-12-19 19:13   ` Mimi Zohar
2026-01-03 15:18     ` Enrico  Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 2/2] ima: measure buffer sent to " Enrico Bravi
2025-12-22 14:01   ` Mimi Zohar [this message]
2026-01-03 15:21     ` Enrico  Bravi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1878eed2d61b7fe3879c6d911ae709ef08089f16.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=enrico.bravi@polito.it \
    --cc=eric.snowberg@oracle.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox