[systemd-devel] [PATCH] Partially revert "ma-setup: simplify"

Mon Jun 1 08:57:25 PDT 2015

On Mon, 2015-06-01 at 10:36 -0400, Zbigniew Jędrzejewski-Szmek wrote:
> ---
> OK, that's strange. Because the error message comes from copy_bytes() failing,
> and in copy_bytes() EINVAL could only originate in loop_write(), unless
> I'm missing something. Can you check the following patch, which essentially
> reverts to the old copy method?
> 
> Zbyszek

With minor "include" changes to have it apply cleanly, the IMA policy is
loaded properly.

Mimi

> 
> src/core/ima-setup.c | 17 ++++++++++++++---
>  1 file changed, 14 insertions(+), 3 deletions(-)
> 
> diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c
> index 7721b3ecaf..531c4e1931 100644
> --- a/src/core/ima-setup.c
> +++ b/src/core/ima-setup.c
> @@ -24,9 +24,10 @@
>  #include <unistd.h>
>  #include <errno.h>
>  #include <fcntl.h>
> +#include <sys/stat.h>
> +#include <sys/mman.h>
> 
>  #include "ima-setup.h"
> -#include "copy.h"
>  #include "util.h"
>  #include "log.h"
> 
> @@ -39,6 +40,8 @@ int ima_setup(void) {
> 
>  #ifdef HAVE_IMA
>          _cleanup_close_ int policyfd = -1, imafd = -1;
> +        struct stat st;
> +        char *policy;
> 
>          if (access(IMA_SECFS_DIR, F_OK) < 0) {
>                  log_debug("IMA support is disabled in the kernel, ignoring.");
> @@ -53,7 +56,7 @@ int ima_setup(void) {
>          }
> 
>          if (access(IMA_SECFS_POLICY, F_OK) < 0) {
> -                log_warning("Another IMA custom policy has already been loaded, ignoring.");
> +                log_error("Another IMA custom policy has already been loaded, ignoring.");
>                  return 0;
>          }
> 
> @@ -63,12 +66,20 @@ int ima_setup(void) {
>                  return 0;
>          }
> 
> -        r = copy_bytes(policyfd, imafd, (off_t) -1, false);
> +        if (fstat(policyfd, &st) < 0)
> +                return log_error_errno(errno, "Failed to fstat "IMA_POLICY_PATH": %m");
> +
> +        policy = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
> +        if (policy == MAP_FAILED)
> +                return log_error_errno(errno, "Failed to mmap "IMA_POLICY_PATH": %m");
> +
> +        r = loop_write(imafd, policy, (size_t) st.st_size, false);
>          if (r < 0)
>                  log_error_errno(r, "Failed to load the IMA custom policy file "IMA_POLICY_PATH": %m");
>          else
>                  log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
> 
> +        munmap(policy, st.st_size);
>  #endif /* HAVE_IMA */
>          return r;
>  }