[PATCH v4 5/6] ima: add support for external setting of ima_appraise

Nayna Jain nayna at linux.vnet.ibm.com
Fri Oct 5 17:44:44 UTC 2018



On 09/27/2018 06:50 PM, Mimi Zohar wrote:
> Hi Nayna,
>
> On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
>> The "ima_appraise" mode defaults to enforcing, unless configured to allow
>> the boot command line "ima_appraise" option. This patch explicitly sets the
>> "ima_appraise" mode for the arch specific policy setting.
> Eventually this patch might be needed if/when we need to differentiate
> between different secure boot modes.
>
> Only if CONFIG_IMA_APPRAISE_BOOTPARAM is enabled, can the IMA appraise
> mode be modified on the boot command line.  Instead of this patch, how
> about making the ability to change the IMA appraise mode also
> dependent on CONFIG_IMA_ARCH_POLICY not being enabled?

Yes, I did this change. I also included other feedback and posted as v5 
version.

Thanks Mimi for all the feedback.

Thanks & Regards,
     - Nayna


>
> Mimi
>
>> Signed-off-by: Nayna Jain <nayna at linux.vnet.ibm.com>
>> ---
>>   security/integrity/ima/ima.h          |  5 +++++
>>   security/integrity/ima/ima_appraise.c | 11 +++++++++--
>>   security/integrity/ima/ima_policy.c   |  5 ++++-
>>   3 files changed, 18 insertions(+), 3 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
>> index 588e4813370c..6e5fa7c42809 100644
>> --- a/security/integrity/ima/ima.h
>> +++ b/security/integrity/ima/ima.h
>> @@ -248,6 +248,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
>>   				 int xattr_len);
>>   int ima_read_xattr(struct dentry *dentry,
>>   		   struct evm_ima_xattr_data **xattr_value);
>> +void set_ima_appraise(char *str);
>>   
>>   #else
>>   static inline int ima_appraise_measurement(enum ima_hooks func,
>> @@ -290,6 +291,10 @@ static inline int ima_read_xattr(struct dentry *dentry,
>>   	return 0;
>>   }
>>   
>> +static inline void set_ima_appraise(char *str)
>> +{
>> +}
>> +
>>   #endif /* CONFIG_IMA_APPRAISE */
>>   
>>   /* LSM based policy rules require audit */
>> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
>> index 8bd7a0733e51..e061613bcb87 100644
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -18,15 +18,22 @@
>>   
>>   #include "ima.h"
>>   
>> -static int __init default_appraise_setup(char *str)
>> +void set_ima_appraise(char *str)
>>   {
>> -#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
>>   	if (strncmp(str, "off", 3) == 0)
>>   		ima_appraise = 0;
>>   	else if (strncmp(str, "log", 3) == 0)
>>   		ima_appraise = IMA_APPRAISE_LOG;
>>   	else if (strncmp(str, "fix", 3) == 0)
>>   		ima_appraise = IMA_APPRAISE_FIX;
>> +	else if (strncmp(str, "enforce", 7) == 0)
>> +		ima_appraise = IMA_APPRAISE_ENFORCE;
>> +}
>> +
>> +static int __init default_appraise_setup(char *str)
>> +{
>> +#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
>> +	set_ima_appraise(str);
>>   #endif
>>   	return 1;
>>   }
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 5fb4b0c123a3..410fee31b162 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -585,9 +585,12 @@ void __init ima_init_policy(void)
>>   	arch_entries = ima_init_arch_policy();
>>   	if (!arch_entries)
>>   		pr_info("No architecture policies found\n");
>> -	else
>> +	else {
>>   		add_rules(arch_policy_entry, arch_entries,
>>   			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
>> +		if (temp_ima_appraise)
>> +			set_ima_appraise("enforce");
>> +	}
>>   
>>   	/*
>>   	 * Insert the builtin "secure_boot" policy rules requiring file



More information about the Linux-security-module-archive mailing list