[PATCH v12 12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now

Stefan Berger stefanb at linux.ibm.com
Tue May 24 13:25:30 UTC 2022 


On 5/22/22 13:38, Serge E. Hallyn wrote:
> On Wed, Apr 20, 2022 at 10:06:19AM -0400, Stefan Berger wrote:
>> Only accept AUDIT rules for non-init_ima_ns namespaces for now. Reject
> 
> This sentence gives me trouble - i keep thinking you mean that you'll
> reject AUDIT rules for init_ima_ns :)  Can you rephrase it as something
> like
> 
> For non-init_ima_ns namespaces, only accept AUDIT rules for now.
> 
> :)
> 
>> all rules that require support for measuring, appraisal, and hashing.
>

I kept the title of the patch but the text now states:

For non-init_ima_ns namespaces, only accept AUDIT rules for now. Reject
all rules that require support for measuring, appraisal, and hashing.



>
>> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
>> Acked-by: Christian Brauner <brauner at kernel.org>
>> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
>>
>> ---
>> v9:
>>    - Jump to err_audit when unsupported rules are detected
>> ---
>>   security/integrity/ima/ima_policy.c | 12 ++++++++++++
>>   1 file changed, 12 insertions(+)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 59e4ae5a6361..45a997709200 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -1812,6 +1812,17 @@ static int ima_parse_rule(struct ima_namespace *ns,
>>   			result = -EINVAL;
>>   			break;
>>   		}
>> +
>> +		/* IMA namespace only accepts AUDIT rules */
>> +		if (ns != &init_ima_ns && result == 0) {
>> +			switch (entry->action) {
>> +			case MEASURE:
>> +			case APPRAISE:
>> +			case HASH:
> 
> So... what about DONT_MEASURE and DONT_APPRAISE?

They don't cause IMA to do anything that is not supported at this point 
so I let them pass. If you set these you still don't get a measurements 
or appraisal and that's good at this point..

> 
>> +				result = -EINVAL;
>> +				goto err_audit;
>> +			}
>> +		}
>>   	}
>>   	if (!result && !ima_validate_rule(entry))
>>   		result = -EINVAL;
>> @@ -1824,6 +1835,7 @@ static int ima_parse_rule(struct ima_namespace *ns,
>>   		check_template_modsig(template_desc);
>>   	}
>>   
>> +err_audit:
>>   	audit_log_format(ab, "res=%d", !result);
>>   	audit_log_end(ab);
>>   	return result;
>> -- 
>> 2.34.1

More information about the Linux-security-module-archive mailing list