[PATCH] ima: ignore suffixed policy rule comments

[PATCH] ima: ignore suffixed policy rule comments

[Mimi Zohar]

Lines beginning with '#' in the IMA policy are comments and are ignored.
Instead of placing the rule and comment on separate lines, allow the
comment to be suffixed to the IMA policy rule.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima_policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 23bbe2c405f0..128fab897930 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1432,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 		int token;
 		unsigned long lnum;
 
-		if (result < 0)
+		if (result < 0 || *p == '#')  /* ignore suffixed comment */
 			break;
 		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
 			continue;
-- 
2.47.1

[PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule

[Mimi Zohar]

With a custom policy similar to the builtin IMA 'tcb' policy [1], arch
specific policy, and a kexec boot command line measurement policy rule,
the kexec boot command line is not measured due to the dont_measure
tmpfs rule.

Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the
"func=FILE_CHECK" hook.  Depending on the end users security threat
model, a custom policy might not even include this dont_measure tmpfs
rule.

Note: as a result of this policy rule change, other measurements might
also be included in the IMA-measurement list that previously weren't
included.

[1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima_policy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 21a8e54c383f..23bbe2c405f0 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
 	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
-	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
+	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
+	 .flags = IMA_FSMAGIC | IMA_FUNC},
 	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
-- 
2.47.1

Re: [PATCH] ima: ignore suffixed policy rule comments

[Petr Vorel]

Hi Mimi,

> Lines beginning with '#' in the IMA policy are comments and are ignored.
> Instead of placing the rule and comment on separate lines, allow the
> comment to be suffixed to the IMA policy rule.

+1

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  security/integrity/ima/ima_policy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 23bbe2c405f0..128fab897930 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1432,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  		int token;
>  		unsigned long lnum;

> -		if (result < 0)
> +		if (result < 0 || *p == '#')  /* ignore suffixed comment */
>  			break;
>  		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
>  			continue;

Re: [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule

[Petr Vorel]

Hi Mimi,

> With a custom policy similar to the builtin IMA 'tcb' policy [1], arch
> specific policy, and a kexec boot command line measurement policy rule,
> the kexec boot command line is not measured due to the dont_measure
> tmpfs rule.

> Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the
> "func=FILE_CHECK" hook.  Depending on the end users security threat
> model, a custom policy might not even include this dont_measure tmpfs
> rule.

> Note: as a result of this policy rule change, other measurements might
> also be included in the IMA-measurement list that previously weren't
> included.

LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

> [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb

> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  security/integrity/ima/ima_policy.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 21a8e54c383f..23bbe2c405f0 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
>  	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
>  	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
>  	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
> -	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
> +	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
> +	 .flags = IMA_FSMAGIC | IMA_FUNC},
>  	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
>  	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
>  	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},

Re: [PATCH] ima: ignore suffixed policy rule comments

[Jarkko Sakkinen]

On Mon Dec 30, 2024 at 4:23 PM EET, Mimi Zohar wrote:
> Lines beginning with '#' in the IMA policy are comments and are ignored.
> Instead of placing the rule and comment on separate lines, allow the
> comment to be suffixed to the IMA policy rule.
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  security/integrity/ima/ima_policy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 23bbe2c405f0..128fab897930 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1432,7 +1432,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  		int token;
>  		unsigned long lnum;
>  
> -		if (result < 0)
> +		if (result < 0 || *p == '#')  /* ignore suffixed comment */
                                                 skip?

Not that relevant but skipping those lines is the actual action taken
in order to reach the state of ignorance ;-)

>  			break;
>  		if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
>  			continue;

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko

Re: [PATCH] ima: limit the builtin 'tcb' dont_measure tmpfs policy rule

[Roberto Sassu]

On 12/30/2024 3:23 PM, Mimi Zohar wrote:
> With a custom policy similar to the builtin IMA 'tcb' policy [1], arch
> specific policy, and a kexec boot command line measurement policy rule,
> the kexec boot command line is not measured due to the dont_measure
> tmpfs rule.
> 
> Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the
> "func=FILE_CHECK" hook.  Depending on the end users security threat
> model, a custom policy might not even include this dont_measure tmpfs
> rule.

Another possible alternative would be to support negation for the func= 
keyword.

In that case, the dont_measure tmpfs policy rule can be rewritten like:

dont_measure fsmagic=0x01021994 func=!KEXEC_CMDLINE

Roberto

> Note: as a result of this policy rule change, other measurements might
> also be included in the IMA-measurement list that previously weren't
> included.
> 
> [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   security/integrity/ima/ima_policy.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 21a8e54c383f..23bbe2c405f0 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -148,7 +148,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
>   	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
>   	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
>   	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
> -	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
> +	{.action = DONT_MEASURE, .fsmagic = TMPFS_MAGIC, .func = FILE_CHECK,
> +	 .flags = IMA_FSMAGIC | IMA_FUNC},
>   	{.action = DONT_MEASURE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
>   	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
>   	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},