From: Mimi Zohar <zohar@linux.ibm.com>
To: Enrico Bravi <enrico.bravi@polito.it>,
linux-integrity@vger.kernel.org, dmitry.kasatkin@gmail.com,
roberto.sassu@huawei.com
Cc: eric.snowberg@oracle.com
Subject: Re: [RFC][PATCH v2 2/2] ima: measure buffer sent to securityfs policy file
Date: Mon, 22 Dec 2025 09:01:15 -0500 [thread overview]
Message-ID: <1878eed2d61b7fe3879c6d911ae709ef08089f16.camel@linux.ibm.com> (raw)
In-Reply-To: <20251216165620.683529-3-enrico.bravi@polito.it>
Hi Enrico,
On Tue, 2025-12-16 at 17:56 +0100, Enrico Bravi wrote:
> When signed a policy is not mandatory, it is possile to write the IMA
> policy directly on the corresponding securityfs file:
>
> echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
> "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
> > /sys/kernel/security/ima/policy
>
> Add input buffer measurement that can be caught when 'measure
> func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb).
>
> Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
> ---
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_fs.c | 1 +
> security/integrity/ima/ima_main.c | 38 +++++++++++++++++++++++++++++++
> 3 files changed, 40 insertions(+)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index ca7b96663623..3b00c298355b 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -426,6 +426,7 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
> void ima_policy_stop(struct seq_file *m, void *v);
> int ima_policy_show(struct seq_file *m, void *v);
> void ima_measure_loaded_policy(void);
> +int ima_measure_policy_write(char *buf, size_t size);
>
> /* Appraise integrity measurements */
> #define IMA_APPRAISE_ENFORCE 0x01
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 89946d803d44..f1a5edd060ad 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -362,6 +362,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
> 1, 0);
> result = -EACCES;
> } else {
> + ima_measure_policy_write(data, datalen);
> result = ima_parse_add_rule(data);
> }
> mutex_unlock(&ima_write_mutex);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index cdd225f65a62..6a8ad4714881 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -28,6 +28,7 @@
> #include <linux/iversion.h>
> #include <linux/evm.h>
> #include <linux/crash_dump.h>
> +#include <linux/shmem_fs.h>
>
> #include "ima.h"
>
> @@ -986,6 +987,43 @@ static int ima_post_load_data(char *buf, loff_t size,
> return 0;
> }
>
> +/**
> + * ima_measure_policy_write - Measure the policy write buffer
> + * @buf: pointer to the buffer containing the policy write data
> + * @size: size of the buffer
> + *
> + * Measure the buffer sent to the IMA policy securityfs file.
> + *
> + * Return 0 on success, a negative value otherwise.
> + */
> +int ima_measure_policy_write(char *buf, size_t size0
> +{
> + static const char op[] = "measure_ima_policy_write";
> + const char *file_name = "ima_write_policy_buffer";
> + static char *audit_cause = "ENOMEM";
> + struct file *policy_file = NULL;
> + struct lsm_prop prop;
> + int ret = 0;
> +
> + policy_file = shmem_kernel_file_setup(file_name, 0, 0);
> + if (IS_ERR(policy_file)) {
> + ret = PTR_ERR(policy_file);
> + audit_cause = "alloc_file";
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, "ima_policy_write",
> + op, audit_cause, ret, 1);
> + goto out;
> + }
> +
> + security_current_getlsmprop_subj(&prop);
> +
> + ret = process_measurement(policy_file, current_cred(), &prop, buf, size,
> + MAY_READ, POLICY_CHECK);
The purpose of this patch is to measure IMA policy rules as they're written to
the <securityfs> IMA policy file, based on the IMA "measure func=POLICY_CHECK"
policy rule.
Like critical data, it should be calling process_buffer_measurement(), not
process_measurement().
The functions ima_match_rules() and ima_match_rule_data() need to be updated to
support POLICY_CHECK.
This function naming is off and should be renamed to ima_measure_policy_buf().
Please update the patch description accordingly.
Mimi
> + fput(policy_file);
> +
> +out:
> + return ret;
> +}
> +
> /**
> * process_buffer_measurement - Measure the buffer or the buffer data hash
> * @idmap: idmap of the mount the inode was found from
next prev parent reply other threads:[~2025-12-22 14:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-25 13:12 [RFC][PATCH] ima: add measurement for first unverified write on ima policy file Enrico Bravi
2025-02-26 1:53 ` Mimi Zohar
2025-02-26 22:53 ` Enrico Bravi
2025-02-27 3:05 ` Mimi Zohar
2025-02-27 11:36 ` Enrico Bravi
2025-02-27 14:49 ` Roberto Sassu
2025-03-03 10:26 ` Enrico Bravi
2025-03-05 8:59 ` Roberto Sassu
2025-03-06 8:20 ` Enrico Bravi
2025-03-06 8:47 ` Roberto Sassu
2025-03-06 14:22 ` Enrico Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 0/2] ima: measure write on securityfs " Enrico Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 1/2] ima: measure loaded policy after " Enrico Bravi
2025-12-19 19:13 ` Mimi Zohar
2026-01-03 15:18 ` Enrico Bravi
2025-12-16 16:56 ` [RFC][PATCH v2 2/2] ima: measure buffer sent to " Enrico Bravi
2025-12-22 14:01 ` Mimi Zohar [this message]
2026-01-03 15:21 ` Enrico Bravi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1878eed2d61b7fe3879c6d911ae709ef08089f16.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=enrico.bravi@polito.it \
--cc=eric.snowberg@oracle.com \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox