* [PATCH] ima: ignore suffixed policy rule comments
@ 2024-12-30 14:23 Mimi Zohar
2024-12-30 14:23 ` [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule Mimi Zohar
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Mimi Zohar @ 2024-12-30 14:23 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel
Lines beginning with '#' in the IMA policy are comments and are ignored.
Instead of placing the rule and comment on separate lines, allow the
comment to be suffixed to the IMA policy rule.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 23bbe2c405f0..128fab897930 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1432,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
int token;
unsigned long lnum;
- if (result < 0)
+ if (result < 0 || *p == '#') /* ignore suffixed comment */
break;
if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
continue;
--
2.47.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule 2024-12-30 14:23 [PATCH] ima: ignore suffixed policy rule comments Mimi Zohar @ 2024-12-30 14:23 ` Mimi Zohar 2024-12-31 9:33 ` Petr Vorel 2025-01-15 10:09 ` Roberto Sassu 2024-12-31 7:28 ` [PATCH] ima: ignore suffixed policy rule comments Petr Vorel 2025-01-03 13:24 ` Jarkko Sakkinen 2 siblings, 2 replies; 6+ messages in thread From: Mimi Zohar @ 2024-12-30 14:23 UTC (permalink / raw) To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel With a custom policy similar to the builtin IMA 'tcb' policy [1], arch specific policy, and a kexec boot command line measurement policy rule, the kexec boot command line is not measured due to the dont_measure tmpfs rule. Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the "func=FILE_CHECK" hook. Depending on the end users security threat model, a custom policy might not even include this dont_measure tmpfs rule. Note: as a result of this policy rule change, other measurements might also be included in the IMA-measurement list that previously weren't included. [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/ima/ima_policy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 21a8e54c383f..23bbe2c405f0 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, - {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, + .flags = IMA_FSMAGIC | IMA_FUNC}, {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, -- 2.47.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule 2024-12-30 14:23 ` [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule Mimi Zohar @ 2024-12-31 9:33 ` Petr Vorel 2025-01-15 10:09 ` Roberto Sassu 1 sibling, 0 replies; 6+ messages in thread From: Petr Vorel @ 2024-12-31 9:33 UTC (permalink / raw) To: Mimi Zohar; +Cc: linux-integrity Hi Mimi, > With a custom policy similar to the builtin IMA 'tcb' policy [1], arch > specific policy, and a kexec boot command line measurement policy rule, > the kexec boot command line is not measured due to the dont_measure > tmpfs rule. > Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the > "func=FILE_CHECK" hook. Depending on the end users security threat > model, a custom policy might not even include this dont_measure tmpfs > rule. > Note: as a result of this policy rule change, other measurements might > also be included in the IMA-measurement list that previously weren't > included. LGTM. Reviewed-by: Petr Vorel <pvorel@suse.cz> Kind regards, Petr > [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima_policy.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 21a8e54c383f..23bbe2c405f0 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { > {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, > - {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, > + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, > + .flags = IMA_FSMAGIC | IMA_FUNC}, > {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule 2024-12-30 14:23 ` [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule Mimi Zohar 2024-12-31 9:33 ` Petr Vorel @ 2025-01-15 10:09 ` Roberto Sassu 1 sibling, 0 replies; 6+ messages in thread From: Roberto Sassu @ 2025-01-15 10:09 UTC (permalink / raw) To: Mimi Zohar, linux-integrity; +Cc: Petr Vorel On 12/30/2024 3:23 PM, Mimi Zohar wrote: > With a custom policy similar to the builtin IMA 'tcb' policy [1], arch > specific policy, and a kexec boot command line measurement policy rule, > the kexec boot command line is not measured due to the dont_measure > tmpfs rule. > > Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the > "func=FILE_CHECK" hook. Depending on the end users security threat > model, a custom policy might not even include this dont_measure tmpfs > rule. Another possible alternative would be to support negation for the func= keyword. In that case, the dont_measure tmpfs policy rule can be rewritten like: dont_measure fsmagic=0x01021994 func=!KEXEC_CMDLINE Roberto > Note: as a result of this policy rule change, other measurements might > also be included in the IMA-measurement list that previously weren't > included. > > [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima_policy.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 21a8e54c383f..23bbe2c405f0 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { > {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, > - {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC}, > + {.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK, > + .flags = IMA_FSMAGIC | IMA_FUNC}, > {.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, > {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ima: ignore suffixed policy rule comments 2024-12-30 14:23 [PATCH] ima: ignore suffixed policy rule comments Mimi Zohar 2024-12-30 14:23 ` [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule Mimi Zohar @ 2024-12-31 7:28 ` Petr Vorel 2025-01-03 13:24 ` Jarkko Sakkinen 2 siblings, 0 replies; 6+ messages in thread From: Petr Vorel @ 2024-12-31 7:28 UTC (permalink / raw) To: Mimi Zohar; +Cc: linux-integrity Hi Mimi, > Lines beginning with '#' in the IMA policy are comments and are ignored. > Instead of placing the rule and comment on separate lines, allow the > comment to be suffixed to the IMA policy rule. +1 Reviewed-by: Petr Vorel <pvorel@suse.cz> Kind regards, Petr > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima_policy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 23bbe2c405f0..128fab897930 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -1432,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > int token; > unsigned long lnum; > - if (result < 0) > + if (result < 0 || *p == '#') /* ignore suffixed comment */ > break; > if ((*p == '\0') || (*p == ' ') || (*p == '\t')) > continue; ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ima: ignore suffixed policy rule comments 2024-12-30 14:23 [PATCH] ima: ignore suffixed policy rule comments Mimi Zohar 2024-12-30 14:23 ` [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule Mimi Zohar 2024-12-31 7:28 ` [PATCH] ima: ignore suffixed policy rule comments Petr Vorel @ 2025-01-03 13:24 ` Jarkko Sakkinen 2 siblings, 0 replies; 6+ messages in thread From: Jarkko Sakkinen @ 2025-01-03 13:24 UTC (permalink / raw) To: Mimi Zohar, linux-integrity; +Cc: Petr Vorel On Mon Dec 30, 2024 at 4:23 PM EET, Mimi Zohar wrote: > Lines beginning with '#' in the IMA policy are comments and are ignored. > Instead of placing the rule and comment on separate lines, allow the > comment to be suffixed to the IMA policy rule. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima_policy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 23bbe2c405f0..128fab897930 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -1432,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > int token; > unsigned long lnum; > > - if (result < 0) > + if (result < 0 || *p == '#') /* ignore suffixed comment */ skip? Not that relevant but skipping those lines is the actual action taken in order to reach the state of ignorance ;-) > break; > if ((*p == '\0') || (*p == ' ') || (*p == '\t')) > continue; Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-01-15 10:10 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-12-30 14:23 [PATCH] ima: ignore suffixed policy rule comments Mimi Zohar 2024-12-30 14:23 ` [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule Mimi Zohar 2024-12-31 9:33 ` Petr Vorel 2025-01-15 10:09 ` Roberto Sassu 2024-12-31 7:28 ` [PATCH] ima: ignore suffixed policy rule comments Petr Vorel 2025-01-03 13:24 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox