Skip to content

Commit f1b08bb

Browse files
author
Mimi Zohar
committed
ima: define a new policy condition based on the filesystem name
If/when file data signatures are distributed with the file data, this patch will not be needed. In the current environment where only some files are signed, the ability to differentiate between file systems is needed. Some file systems consider the file system magic number internal to the file system. This patch defines a new IMA policy condition named "fsname", based on the superblock's file_system_type (sb->s_type) name. This allows policy rules to be expressed in terms of the filesystem name. The following sample rules require file signatures on rootfs files executed or mmap'ed. appraise func=BPRM_CHECK fsname=rootfs appraise_type=imasig appraise func=FILE_MMAP fsname=rootfs appraise_type=imasig Signed-off-by: Mimi Zohar <[email protected]> Cc: Dave Chinner <[email protected]> Cc: Theodore Ts'o <[email protected]>
1 parent fa516b6 commit f1b08bb

File tree

2 files changed

+25
-2
lines changed

2 files changed

+25
-2
lines changed

Documentation/ABI/testing/ima_policy

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ Description:
2121
audit | hash | dont_hash
2222
condition:= base | lsm [option]
2323
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
24-
[euid=] [fowner=]]
24+
[euid=] [fowner=] [fsname=]]
2525
lsm: [[subj_user=] [subj_role=] [subj_type=]
2626
[obj_user=] [obj_role=] [obj_type=]]
2727
option: [[appraise_type=]] [permit_directio]

security/integrity/ima/ima_policy.c

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
#define IMA_INMASK 0x0040
3434
#define IMA_EUID 0x0080
3535
#define IMA_PCR 0x0100
36+
#define IMA_FSNAME 0x0200
3637

3738
#define UNKNOWN 0
3839
#define MEASURE 0x0001 /* same as IMA_MEASURE */
@@ -74,6 +75,7 @@ struct ima_rule_entry {
7475
void *args_p; /* audit value */
7576
int type; /* audit type */
7677
} lsm[MAX_LSM_RULES];
78+
char *fsname;
7779
};
7880

7981
/*
@@ -273,6 +275,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
273275
if ((rule->flags & IMA_FSMAGIC)
274276
&& rule->fsmagic != inode->i_sb->s_magic)
275277
return false;
278+
if ((rule->flags & IMA_FSNAME)
279+
&& strcmp(rule->fsname, inode->i_sb->s_type->name))
280+
return false;
276281
if ((rule->flags & IMA_FSUUID) &&
277282
!uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
278283
return false;
@@ -540,7 +545,7 @@ enum {
540545
Opt_audit, Opt_hash, Opt_dont_hash,
541546
Opt_obj_user, Opt_obj_role, Opt_obj_type,
542547
Opt_subj_user, Opt_subj_role, Opt_subj_type,
543-
Opt_func, Opt_mask, Opt_fsmagic,
548+
Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname,
544549
Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
545550
Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
546551
Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
@@ -565,6 +570,7 @@ static match_table_t policy_tokens = {
565570
{Opt_func, "func=%s"},
566571
{Opt_mask, "mask=%s"},
567572
{Opt_fsmagic, "fsmagic=%s"},
573+
{Opt_fsname, "fsname=%s"},
568574
{Opt_fsuuid, "fsuuid=%s"},
569575
{Opt_uid_eq, "uid=%s"},
570576
{Opt_euid_eq, "euid=%s"},
@@ -776,6 +782,17 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
776782
if (!result)
777783
entry->flags |= IMA_FSMAGIC;
778784
break;
785+
case Opt_fsname:
786+
ima_log_string(ab, "fsname", args[0].from);
787+
788+
entry->fsname = kstrdup(args[0].from, GFP_KERNEL);
789+
if (!entry->fsname) {
790+
result = -ENOMEM;
791+
break;
792+
}
793+
result = 0;
794+
entry->flags |= IMA_FSNAME;
795+
break;
779796
case Opt_fsuuid:
780797
ima_log_string(ab, "fsuuid", args[0].from);
781798

@@ -1104,6 +1121,12 @@ int ima_policy_show(struct seq_file *m, void *v)
11041121
seq_puts(m, " ");
11051122
}
11061123

1124+
if (entry->flags & IMA_FSNAME) {
1125+
snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname);
1126+
seq_printf(m, pt(Opt_fsname), tbuf);
1127+
seq_puts(m, " ");
1128+
}
1129+
11071130
if (entry->flags & IMA_PCR) {
11081131
snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
11091132
seq_printf(m, pt(Opt_pcr), tbuf);

0 commit comments

Comments
 (0)