[PATCH v2 11/11] ima: Support additional conditionals in the KEXEC_CMDLINE hook function
Lakshmi Ramasubramanian
nramas at linux.microsoft.com
Sun Jun 28 00:03:11 UTC 2020
On 6/26/20 3:39 PM, Tyler Hicks wrote:
> Take the properties of the kexec kernel's inode and the current task
> ownership into consideration when matching a KEXEC_CMDLINE operation to
> the rules in the IMA policy. This allows for some uniformity when
> writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK,
> and KEXEC_CMDLINE operations.
>
> Prior to this patch, it was not possible to write a set of rules like
> this:
>
> dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
> dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
> dont_measure func=KEXEC_CMDLINE obj_type=foo_t
> measure func=KEXEC_KERNEL_CHECK
> measure func=KEXEC_INITRAMFS_CHECK
> measure func=KEXEC_CMDLINE
>
> The inode information associated with the kernel being loaded by a
> kexec_kernel_load(2) syscall can now be included in the decision to
> measure or not
>
> Additonally, the uid, euid, and subj_* conditionals can also now be
> used in KEXEC_CMDLINE rules. There was no technical reason as to why
> those conditionals weren't being considered previously other than
> ima_match_rules() didn't have a valid inode to use so it immediately
> bailed out for KEXEC_CMDLINE operations rather than going through the
> full list of conditional comparisons.
>
> Signed-off-by: Tyler Hicks <tyhicks at linux.microsoft.com>
> Cc: Eric Biederman <ebiederm at xmission.com>
> Cc: kexec at lists.infradead.org
> ---
>
> * v2
> - Moved the inode parameter of process_buffer_measurement() to be the
> first parameter so that it more closely matches process_masurement()
>
> include/linux/ima.h | 4 ++--
> kernel/kexec_file.c | 2 +-
> security/integrity/ima/ima.h | 2 +-
> security/integrity/ima/ima_api.c | 2 +-
> security/integrity/ima/ima_appraise.c | 2 +-
> security/integrity/ima/ima_asymmetric_keys.c | 2 +-
> security/integrity/ima/ima_main.c | 23 +++++++++++++++-----
> security/integrity/ima/ima_policy.c | 17 +++++----------
> security/integrity/ima/ima_queue_keys.c | 2 +-
> 9 files changed, 31 insertions(+), 25 deletions(-)
>
Reviewed-by: Lakshmi Ramasubramanian <nramas at linux.microsoft.com>
More information about the Linux-security-module-archive
mailing list