From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Mickael Salaun <mic@digikod.net>, Steve Grubb <sgrubb@redhat.com>,
Jann Horn <jannh@google.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] ima: add policy support for identifying file execute mode bit
Date: Wed, 29 Apr 2020 09:38:42 -0400 [thread overview]
Message-ID: <1588167523-7866-2-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1588167523-7866-1-git-send-email-zohar@linux.ibm.com>
Extend the IMA policy language with "mode=IXUGO" to identify files with
the execute mode bit enabled.
Examples:
measure func=FILE_CHECK mode=IXUGO
appraise func=FILE_CHECK appraise_type=imasig mode=IXUGO
Suggested-by: Steve Grubb <sgrubb@redhat.com> (based on execute mode bit)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
Documentation/ABI/testing/ima_policy | 5 +++--
security/integrity/ima/ima_policy.c | 18 ++++++++++++++++--
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index cd572912c593..a12e784cee31 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -20,8 +20,8 @@ Description:
action: measure | dont_measure | appraise | dont_appraise |
audit | hash | dont_hash
condition:= base | lsm [option]
- base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
- [euid=] [fowner=] [fsname=]]
+ base: [[func=] [mask=] [mode=] [fsmagic=] [fsuuid=]
+ [uid=] [euid=] [fowner=] [fsname=]]
lsm: [[subj_user=] [subj_role=] [subj_type=]
[obj_user=] [obj_role=] [obj_type=]]
option: [[appraise_type=]] [template=] [permit_directio]
@@ -32,6 +32,7 @@ Description:
[KEXEC_CMDLINE] [KEY_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
+ mode:= [IXUGO]
fsmagic:= hex value
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
uid:= decimal value
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ef7f68cc935e..28b68e076638 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -33,6 +33,7 @@
#define IMA_PCR 0x0100
#define IMA_FSNAME 0x0200
#define IMA_KEYRINGS 0x0400
+#define IMA_IXUGO 0x0800
#define UNKNOWN 0
#define MEASURE 0x0001 /* same as IMA_MEASURE */
@@ -435,6 +436,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_INMASK) &&
(!(rule->mask & mask) && func != POST_SETATTR))
return false;
+ if ((rule->flags & IMA_IXUGO) && !(inode->i_mode & S_IXUGO))
+ return false;
if ((rule->flags & IMA_FSMAGIC)
&& rule->fsmagic != inode->i_sb->s_magic)
return false;
@@ -459,6 +462,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_FOWNER) &&
!rule->fowner_op(inode->i_uid, rule->fowner))
return false;
+
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
u32 osid;
@@ -822,7 +826,7 @@ enum {
Opt_audit, Opt_hash, Opt_dont_hash,
Opt_obj_user, Opt_obj_role, Opt_obj_type,
Opt_subj_user, Opt_subj_role, Opt_subj_type,
- Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
+ Opt_func, Opt_mask, Opt_mode, Opt_fsmagic, Opt_fsname,
Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
@@ -847,6 +851,7 @@ static const match_table_t policy_tokens = {
{Opt_subj_type, "subj_type=%s"},
{Opt_func, "func=%s"},
{Opt_mask, "mask=%s"},
+ {Opt_mode, "mode=%s"},
{Opt_fsmagic, "fsmagic=%s"},
{Opt_fsname, "fsname=%s"},
{Opt_fsuuid, "fsuuid=%s"},
@@ -1098,6 +1103,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->flags |= (*args[0].from == '^')
? IMA_INMASK : IMA_MASK;
break;
+ case Opt_mode:
+ ima_log_string(ab, "mode", args[0].from);
+ if ((strcmp(args[0].from, "IXUGO")) == 0)
+ entry->flags |= IMA_IXUGO;
+ else
+ result = -EINVAL;
+ break;
case Opt_fsmagic:
ima_log_string(ab, "fsmagic", args[0].from);
@@ -1185,7 +1197,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
uid_token = (token == Opt_uid_eq) ||
(token == Opt_uid_gt) ||
(token == Opt_uid_lt);
-
ima_log_string_op(ab, uid_token ? "uid" : "euid",
args[0].from, entry->uid_op);
@@ -1522,6 +1533,9 @@ int ima_policy_show(struct seq_file *m, void *v)
seq_puts(m, " ");
}
+ if (entry->flags & IMA_IXUGO)
+ seq_puts(m, "mode=IXUGO ");
+
if (entry->flags & IMA_FSMAGIC) {
snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic);
seq_printf(m, pt(Opt_fsmagic), tbuf);
--
2.7.5
next prev parent reply other threads:[~2020-04-29 13:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-29 13:38 [PATCH 0/2] ima: extending IMA policy to support interpreters Mimi Zohar
2020-04-29 13:38 ` Mimi Zohar [this message]
2020-04-29 17:22 ` [PATCH 1/2] ima: add policy support for identifying file execute mode bit Lakshmi Ramasubramanian
2020-04-29 13:38 ` [PATCH 2/2] ima: add policy support for the new file open MAY_OPENEXEC flag Mimi Zohar
2020-04-29 17:22 ` Lakshmi Ramasubramanian
2020-04-29 21:24 ` kbuild test robot
2020-04-30 13:42 ` Mimi Zohar
2020-04-30 14:26 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1588167523-7866-2-git-send-email-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=jannh@google.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).